Releases10
Frequency3 months 1 day
Last Release
Implementation of parts of Drupal’s user/access control API.

CVE History

CVEAffectedPublishedCVSS v3CVSS v2
>= 8.9.0, < 10.4.10, >= 10.5.0, < 10.5.10, >= 10.6.0, < 10.6.9, >= 11.0.0, < 11.1.10, >= 11.2.0, < 11.2.12, >= 11.3.0, < 11.3.109.8 CRITICAL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10.

>= 11.3.0, < 11.3.76.1 MEDIUM

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 11.3.0 before 11.3.7.

>= 8.0.0, < 10.5.9, >= 10.6.0, < 10.6.7, >= 11.0.0, < 11.2.11, >= 11.3.0, < 11.3.76.6 MEDIUM

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.

>= 8.0.0, < 10.5.9, >= 10.6.0, < 10.6.7, >= 11.0.0, < 11.2.11, >= 11.3.0, < 11.3.76.1 MEDIUM

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.

>= 8.0.0, < 10.4.9, >= 10.5.0, < 10.5.6, >= 11.0.0, < 11.1.9, >= 11.2.0, < 11.2.84.3 MEDIUM

User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.

>= 8.0.0, < 10.4.9, >= 10.5.0, < 10.5.6, >= 11.0.0, < 11.1.9, >= 11.2.0, < 11.2.83.7 LOW

Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8, from 7.0 before 7.103.

>= 8.0.0, < 10.4.9, >= 10.5.0, < 10.5.6, >= 11.0.0, < 11.1.9, >= 11.2.0, < 11.2.85.3 MEDIUM

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.

>= 8.0.0, < 10.4.9, >= 10.5.0, < 10.5.6, >= 11.0.0, < 11.1.9, >= 11.2.0, < 11.2.85.9 MEDIUM

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.

>= 10.4.0, < 10.4.3, >= 11.0.0, < 11.0.12, >= 11.1.0, < 11.1.3, >= 8.0.0, < 10.3.136.1 MEDIUM

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.

>= 10.4.0, < 10.4.5, >= 11.0.0, < 11.0.13, >= 11.1.0, < 11.1.5, >= 8.0.0, < 10.3.145.4 MEDIUM

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5. It also affects the Drupal 7 module from versions 7.x-1.0 through 7.x-1.12.

>= 10.4.0, < 10.4.3, >= 11.0.0, < 11.0.12, >= 11.1.0, < 11.1.3, >= 8.0.0, < 10.3.134.6 MEDIUM

Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.

>= 10.4.0, < 10.4.3, >= 11.0.0, < 11.0.12, >= 11.1.0, < 11.1.3, >= 8.0.0, < 10.3.137.5 HIGH

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.

>= 10.3.0, < 10.3.9, >= 7.0, < 7.102, >= 8.0.0, < 10.2.119.8 CRITICAL

Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.

>= 7.0, < 7.1026.1 MEDIUM

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 7.0 before 7.102.

>= 10.3.0, < 10.3.9, >= 11.0.0, < 11.0.8, >= 8.8.0, < 10.2.115.4 MEDIUM

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

>= 10.3.0, < 10.3.9, >= 8.0.0, < 10.2.11, >= 11.0.0, < 11.0.89.8 CRITICAL

Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so called gadget chain presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.

>= 10.3.0, < 10.3.9, >= 8.0.0, < 10.2.11, >= 11.0.0, < 11.0.88.1 HIGH

A vulnerability in Drupal Core allows Privilege Escalation.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

>= 10.3.0, < 10.3.9, >= 8.0.0, < 10.2.11, >= 11.0.0, < 11.0.89.8 CRITICAL

Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.

>= 10.2.0, < 10.2.2, >= 8.0.0, < 10.1.87.5 HIGH

A vulnerability in Drupal Core allows Excessive Allocation.This issue affects Drupal Core: from 10.2.0 before 10.2.2, from 10.1.0 before 10.1.8.

>= 10.0.0, < 10.2.105.9 MEDIUM

A vulnerability in Drupal Core allows File Manipulation.This issue affects Drupal Core: from 10.0.0 before 10.2.10.

= 2023-05-095.3 MEDIUM

core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.

= 9.3.67.5 HIGH

Drupal contains a vulnerability with improper handling of structural elements. If this vulnerability is exploited, an attacker may be able to cause a denial-of-service (DoS) condition.

>= 10.1.0, < 10.1.4, >= 10.0.0, < 10.0.11, >= 8.7.0, < 9.5.117.5 HIGH

In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API. The core REST and contributed GraphQL modules are not affected.

>= 10.0, < 10.0.8, >= 9.5, < 9.5.8, >= 9.4, < 9.4.14, >= 7.0, < 7.966.5 MEDIUM

The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.

>= 9.4.0, < 9.4.3, >= 9.3.0, < 9.3.196.1 MEDIUM

The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.

>= 9.4.0, < 9.4.3, >= 8.0.0, < 9.3.197.2 HIGH

Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010). However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files' filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core's default .htaccess files and possible remote code execution on Apache web servers. This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.

>= 9.4.0, < 9.4.3, >= 8.0.0, < 9.3.196.5 MEDIUM

Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.

>= 9.3.0, < 9.3.12, >= 8.0.0, < 9.2.187.5 HIGH

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.

>= 9.4.0, < 9.4.3, >= 8.0.0, < 9.3.19, >= 7.0, < 7.917.5 HIGH

In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the "private" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability. This vulnerability is mitigated by the fact that it only applies when the site sets (Drupal 9) $config['image.settings']['allow_insecure_derivatives'] or (Drupal 7) $conf['image_allow_insecure_derivatives'] to TRUE. The recommended and default setting is FALSE, and Drupal core does not provide a way to change that in the admin UI. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing files or image styles after updating.

>= 9.3.0, < 9.3.125.4 MEDIUM

Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content. This vulnerability only affects sites using Drupal's revision system.

>= 9.4.0, < 9.4.7, >= 8.0.0, < 9.3.227.5 HIGH

Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.

>= 9.3.0, < 9.3.16, >= 9.2.0, < 9.2.21, = 9.4.07.5 HIGH5 MEDIUM

Guzzle is an open source PHP HTTP client. In affected versions the `Cookie` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the `Cookie` header on. Prior to this fix, only cookies that were managed by our cookie middleware would be safely removed, and any `Cookie` header manually added to the initial request would not be stripped. We now always strip it, and allow the cookie middleware to re-add any cookies that it deems should be there. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach to use your own redirect middleware, rather than ours. If you do not require or expect redirects to be followed, one should simply disable redirects all together.

>= 9.3.0, < 9.3.16, >= 9.2.0, < 9.2.21, = 9.4.07.5 HIGH5 MEDIUM

Guzzle is an open source PHP HTTP client. In affected versions `Authorization` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, we should not forward the `Authorization` header on. This is much the same as to how we don't forward on the header if the host changes. Prior to this fix, `https` to `http` downgrades did not result in the `Authorization` header being removed, only changes to the host. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach which would be to use their own redirect middleware. Alternately users may simply disable redirects all together if redirects are not expected or required.

>= 9.2.0, < 9.2.20, >= 9.3.0, < 9.3.148 HIGH5.8 MEDIUM

Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.

>= 9.3.0, < 9.3.9, >= 8.0.0, < 9.2.167.5 HIGH5 MEDIUM

guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds.

>= 9.3.0, < 9.3.8, >= 8.0.0, < 9.2.156.5 MEDIUM5 MEDIUM

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.

>= 9.3.0, < 9.3.8, >= 8.0.0, < 9.2.155.4 MEDIUM3.5 LOW

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds.

>= 9.3.0, < 9.3.6, >= 9.2.0, < 9.2.136.5 MEDIUM4 MEDIUM

The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.

>= 9.3.0, < 9.3.6, >= 9.2.0, < 9.2.13, >= 7.0.0, < 7.887.5 HIGH4.3 MEDIUM

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.

>= 9.2.0, < 9.2.6, >= 9.1.0, < 9.1.13, = *, >= 8.0.0, < 8.9.197.5 HIGH4.3 MEDIUM

Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not affected.

>= 9.2.0, < 9.2.6, >= 9.1.0, < 9.1.13, >= 8.9.0, < 8.9.196.5 MEDIUM4 MEDIUM

The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.

>= 9.2.0, < 9.2.6, >= 9.1.0, < 9.1.13, >= 8.0.0, < 8.9.199.8 CRITICAL7.5 HIGH

Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.

>= 9.2.0, < 9.2.6, >= 9.1.0, < 9.1.13, >= 8.9.0, < 8.9.196.5 MEDIUM4.3 MEDIUM

The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the "access in-place editing" permission from untrusted users will not fully mitigate the vulnerability.

>= 9.0.0, < 9.0.6, >= 8.9.0, < 8.9.6, >= 8.8.0, < 8.8.107.5 HIGH5 MEDIUM

Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

>= 9.0.0, < 9.0.6, >= 8.9.0, < 8.9.6, >= 8.8.0, < 8.8.106.1 MEDIUM4.3 MEDIUM

Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core allows attacker to inject XSS. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10.; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

>= 9.1.0, < 9.1.7, >= 9.0.0, < 9.0.12, >= 8.9.0, < 8.9.14, < 7.806.1 MEDIUM2.6 LOW

Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances. This issue affects: Drupal Core 9.1.x versions prior to 9.1.7; 9.0.x versions prior to 9.0.12; 8.9.x versions prior to 8.9.14; 7.x versions prior to 7.80.

>= 9.0.0, < 9.0.6, >= 8.9.0, < 8.9.6, >= 8.8.0, < 8.8.106.1 MEDIUM4.3 MEDIUM

Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

>= 9.2.0, < 9.2.9, >= 9.1.0, < 9.1.14, >= 8.9.0, < 8.9.208.2 HIGH3.5 LOW

CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.

>= 9.2.0, < 9.2.9, >= 9.1.0, < 9.1.14, >= 8.9.0, < 8.9.208.2 HIGH3.5 LOW

CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.

>= 9.3.0, < 9.3.3, >= 9.2.0, < 9.2.11, >= 7.0, < 7.866.5 MEDIUM4.3 MEDIUM

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.

>= 9.3.0, < 9.3.3, >= 9.2.0, < 9.2.11, >= 7.0, < 7.866.5 MEDIUM4.3 MEDIUM

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.

>= 7.0, < 7.866.5 MEDIUM4.3 MEDIUM

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.

>= 9.0.0, < 9.0.1, >= 8.9.0, < 8.9.1, >= 8.8.0, < 8.8.8, >= 7.0, < 7.728.8 HIGH6.8 MEDIUM

Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.

>= 9.0.0, < 9.0.6, >= 8.9.0, < 8.9.6, >= 8.8.0, < 8.8.106.1 MEDIUM4.3 MEDIUM

Cross-site scripting vulnerability in l Drupal Core allows an attacker could leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.

>= 9.1.0, < 9.1.9, >= 9.0.0, < 9.0.14, >= 8.9.0, < 8.9.166.1 MEDIUM4.3 MEDIUM

A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is mishandled.

>= 9.0.0, < 9.0.6, >= 8.9.0, < 8.9.6, >= 8.8.0, < 8.8.105.3 MEDIUM4.3 MEDIUM

Access bypass vulnerability in of Drupal Core Workspaces allows an attacker to access data without correct permissions. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass vulnerability. An attacker might be able to see content before the site owner intends people to see the content. This vulnerability is mitigated by the fact that sites are only vulnerable if they have installed the experimental Workspaces module. This issue affects Drupal Core8.8.X versions prior to 8.8.10; 8.9.X versions prior to 8.9.6; 9.0.X versions prior to 9.0.6.

>= 7.0, <= 7.706.1 MEDIUM5.8 MEDIUM

Open Redirect vulnerability in Drupal Core allows a user to be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. This issue affects: Drupal Drupal Core 7 version 7.70 and prior versions.

>= 9.0.0, < 9.0.1, >= 8.9.0, < 8.9.1, >= 8.8.0, < 8.8.88.8 HIGH9.3 HIGH

Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability. Windows servers are most likely to be affected. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.1 versions prior to 9.0.1.

>= 9.0.0, < 9.0.1, >= 8.9.0, < 8.9.1, >= 8.8.0, < 8.8.89.8 CRITICAL7.5 HIGH

Access bypass vulnerability in Drupal Core allows JSON:API when JSON:API is in read/write mode. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable. This issue affects: Drupal Drupal Core 8.8.x versions prior to 8.8.8; 8.9.x versions prior to 8.9.1; 9.0.x versions prior to 9.0.1.

>= 9.0.0, < 9.0.6, >= 8.9.0, < 8.9.6, >= 8.8.0, < 8.8.10, >= 7.0, < 7.736.1 MEDIUM4.3 MEDIUM

Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API does not disable JSONP by default, allowing for an XSS attack. This issue affects: Drupal Drupal Core 7.x versions prior to 7.73; 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

>= 9.1.0, < 9.1.3, >= 9.0.0, < 9.0.11, >= 7.0, < 7.78, >= 8.9.0, < 8.9.137.5 HIGH5 MEDIUM

Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.

= *, >= 7.0, < 7.74, >= 8.8.0, < 8.8.11, >= 8.9.0, < 8.9.9, >= 9.0.0, < 9.0.88.8 HIGH6.5 MEDIUM

Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.

>= 7.0, < 7.75, >= 8.8.0, < 8.8.12, >= 8.0.0, < 8.9.10, >= 9.0.0, < 9.0.97.8 HIGH6.8 MEDIUM

Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.

>= 7.0, < 7.75, >= 8.8.0, < 8.8.12, >= 8.0.0, < 8.9.10, >= 9.0.0, < 9.0.97.8 HIGH6.8 MEDIUM

Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.

= 8.7.49.8 CRITICAL6.8 MEDIUM

An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.

>= 7.0, < 7.70, >= 8.7.0, < 8.7.14, >= 8.8.0, < 8.8.66.9 MEDIUM4.3 MEDIUM

In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

>= 7.0, < 7.70, >= 8.7.0, < 8.7.14, >= 8.8.0, < 8.8.66.9 MEDIUM4.3 MEDIUM

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

>= 8.8.0, < 8.8.4, >= 8.7.0, < 8.7.126.1 MEDIUM4.3 MEDIUM

A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).

= 6.209.8 CRITICAL7.5 HIGH

An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table names or column names.

= 6.206.1 MEDIUM4.3 MEDIUM

A Cross-Site Scripting vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table descriptions, field names, or labels before display.

>= 7.0, < 7.57.5 HIGH5 MEDIUM

An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory in comments, and the parent node is denied access, non-privileged users can still download the file attached to the comment if they know or guess its direct URL.

>= 6.0, < 6.16, >= 5.0, < 5.224.8 MEDIUM3.5 LOW

Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer languages' permission.

>= 6.0, < 6.16, >= 5.0, < 5.226.5 MEDIUM3.5 LOW

Drupal 6.x before 6.16 and 5.x before version 5.22 does not properly block users under certain circumstances. A user with an open session that was blocked could maintain their session on the Drupal site despite being blocked.

>= 6.0, < 6.16, >= 5.0, < 5.226.1 MEDIUM4.3 MEDIUM

Drupal 5.x and 6.x before 6.16 uses a user-supplied value in output during site installation which could allow an attacker to craft a URL and perform a cross-site scripting attack.

>= 6.0, < 6.16, >= 5.0, < 5.226.1 MEDIUM5.8 MEDIUM

Drupal versions 5.x and 6.x has open redirection

= 8.7.04.3 MEDIUM

In PrestaShop 1.7.5.2, the shop_country parameter in the install/index.php installation script/component is affected by Reflected XSS. Exploitation by a malicious actor requires the user to follow the initial stages of the setup (accepting terms and conditions) before executing the malicious link.

>= 8.5.0, < 8.5.15, >= 8.6.0, < 8.6.157.5 HIGH6 MEDIUM

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. This is related to symfony/security.

>= 8.5.0, < 8.5.15, >= 8.6.0, < 8.6.159.8 CRITICAL7.5 HIGH

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.

>= 8.5.0, < 8.5.15, >= 8.6.0, < 8.6.155.4 MEDIUM3.5 LOW

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.

>= 8.7.0, < 8.7.1, >= 8.6.0, < 8.6.16, >= 7.0, < 7.679.8 CRITICAL7.5 HIGH

The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.

>= 7.0, < 7.66, >= 8.5.0, < 8.5.15, >= 8.6.0, < 8.6.156.1 MEDIUM4.3 MEDIUM

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

>= 7.0, < 7.65, >= 8.5.0, < 8.5.14, >= 8.6.0, < 8.6.133.5 LOW

In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.

>= 8.6.0, < 8.6.10, >= 8.5.0, < 8.5.118.1 HIGH6.8 MEDIUM

Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)

>= 8.0.0, <= 8.3.74 MEDIUM

In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them.

>= 8.0.0, < 8.3.4, >= 7.0, < 7.564 MEDIUM

In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.

>= 7.0, < 7.62, >= 8.5.0, < 8.5.9, >= 8.6.0, < 8.6.67.5 HIGH

In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.

>= 7.0, < 7.62, >= 8.5.0, < 8.5.9, >= 8.6.0, < 8.6.66 MEDIUM

In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details

>= 8.0.0, < 8.3.44.3 MEDIUM

In Drupal 8 prior to 8.3.4; The file REST resource does not properly validate some fields when manipulating files. A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an attacker can get or register a user account on the site with permissions to upload files and to modify the file resource.

>= 8.0.0, < 8.3.75.8 MEDIUM

In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments.

>= 8.0.0, < 8.3.77.5 HIGH

In versions of Drupal 8 core prior to 8.3.7; There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entities that have different access restrictions on different revisions of the same entity.

>= 8.0.0, < 8.3.47.5 HIGH

Drupal core 8 before versions 8.3.4 allows remote attackers to execute arbitrary code due to the PECL YAML parser not handling PHP objects safely during certain operations.

>= 8.0.0, < 8.5.66.5 MEDIUM4 MEDIUM

An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \Symfony\Component\HttpFoundation\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.

>= 8.4.0, < 8.4.8, >= 8.5.0, < 8.5.3, >= 7.0, < 7.599.8 CRITICAL7.5 HIGH

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.

>= 8.5.0, < 8.5.2, >= 8.0.0, < 8.4.74.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka image2) plugin for CKEditor (in versions 4.5.10 through 4.9.1; fixed in 4.9.2), as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2 and other products, allows remote attackers to inject arbitrary web script through a crafted IMG element.

<= 7.57, >= 8.0.0, < 8.3.9, >= 8.4.0, < 8.4.6, >= 8.5.0, < 8.5.19.8 CRITICAL7.5 HIGH

Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.

>= 7.0, < 7.575.8 MEDIUM

Drupal core 7.x versions before 7.57 has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site.

>= 8.4.0, < 8.4.56.8 MEDIUM

In Drupal versions 8.4.x versions before 8.4.5 when using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability. This issue is mitigated by the fact that it only applies to sites that a) use the Content Translation module; and b) use a node access module such as Domain Access which implement hook_node_access_records().

>= 7.0, < 7.57, >= 8.0.0, < 8.4.04.3 MEDIUM

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module.

>= 7.0, < 7.573.5 LOW

Drupal core 7.x versions before 7.57 when using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability. This vulnerability is mitigated by the fact that it only occurs for unusual site configurations.

>= 8.4.0, < 8.4.5, >= 7.0, < 7.574.3 MEDIUM

Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances. The PHP functions which Drupal provides for HTML escaping are not affected.

>= 8.4.0, < 8.4.55.5 MEDIUM

In Drupal versions 8.4.x versions before 8.4.5 users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content. This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments.

>= 8.4.0, < 8.4.54 MEDIUM

In Drupal versions 8.4.x versions before 8.4.5 the Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for. If you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. This release fixes the only two implementations in core, but does not harden against other such bypasses. This vulnerability can be mitigated by disabling the Settings Tray module.

= 7.0, = 7.39, = 7.40, = 7.16, = 7.21, = 7.18, = 7.15, = 7.17, = 7.13, = 7.20, = 7.27, = 7.38, = 7.6, = 7.8, = 7.35, = 7.3, = 7.5, = 7.10, = 7.30, = 7.1, = 7.31, = 7.2, = 7.4, = 7.11, = 7.22, = 7.29, = 7.36, = 7.7, = 7.9, = 7.23, = 7.24, = 7.25, = 7.26, = 7.32, = 7.33, = 7.34, = 7.12, = 7.14, = 7.19, = 7.28, = 7.375.8 MEDIUM

Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.41, the jQuery Update module 7.x-2.x before 7.x-2.7 for Drupal, and the LABjs module 7.x-1.x before 7.x-1.8 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3233.

= 7.0, = 6.0, = 6.33, = 7.16, = 7.21, = 6.2, = 6.18, = 6.32, = 7.15, = 6.12, = 6.14, = 7.3, = 7.17, = 7.18, = 6.24, = 6.25, = 6.13, = 7.9, = 7.10, = 7.11, = 7.12, = 7.27, = 7.28, = 6.1, = 6.19, = 7.6, = 7.8, = 7.13, = 7.22, = 7.33, = 6.21, = 6.28, = 6.30, = 7.4, = 7.20, = 7.34, = 6.7, = 6.8, = 6.11, = 6.26, = 6.27, = 7.5, = 7.30, = 6.4, = 6.22, = 7.25, = 7.29, = 6.16, = 6.17, = 6.34, = 7.24, = 7.31, = 6.3, = 6.5, = 6.23, = 7.1, = 7.2, = 7.19, = 6.9, = 6.10, = 7.7, = 7.14, = 7.23, = 7.26, = 7.32, = 6.6, = 6.15, = 6.20, = 6.29, = 6.315.8 MEDIUM

Open redirect vulnerability in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter.

= 7.x-1.0, = 7.x-1.1, = 7.x-1.2, = 7.x-1.3, = 7.x-1.44 MEDIUM

The Entity Registration module 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to obtain sensitive event registration information by leveraging the "Register other accounts" permission and knowledge of usernames.

= 7.0, = 6.0, = 6.33, = 7.16, = 7.21, = 6.2, = 7.3, = 7.17, = 7.18, = 6.24, = 6.25, = 6.13, = 6.18, = 6.32, = 7.15, = 6.12, = 6.14, = 7.33, = 7.34, = 6.7, = 6.8, = 6.26, = 7.5, = 7.12, = 7.30, = 6.4, = 6.11, = 6.22, = 6.27, = 7.8, = 7.9, = 7.10, = 7.11, = 7.27, = 7.28, = 6.1, = 7.4, = 7.6, = 7.13, = 7.20, = 7.22, = 6.19, = 6.21, = 6.28, = 6.30, = 7.1, = 7.2, = 7.19, = 6.6, = 6.9, = 6.10, = 6.23, = 7.7, = 7.14, = 7.23, = 7.32, = 6.20, = 6.29, = 7.26, = 7.25, = 6.15, = 6.16, = 6.17, = 6.31, = 6.34, = 7.24, = 7.29, = 7.31, = 6.3, = 6.55.8 MEDIUM

Open redirect vulnerability in URL-related API functions in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the "//" initial sequence.

= 8.2.5, = 8.0.0, = 8.2.0, = 8.2.3, = 8.3.0, = 8.1.0, = 8.1.8, = 8.1.9, = 8.1.2, = 8.1.5, = 8.1.6, = 8.0.1, = 8.1.7, = 8.2.6, = 8.0.2, = 8.0.3, = 8.1.1, = 8.1.10, = 8.2.1, = 8.0.4, = 8.0.5, = 8.1.3, = 8.2.7, = 8.1.4, = 8.2.4, = 8.2.2, = 8.0.66 MEDIUM

Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.

= 8.2.5, = 8.2.0, = 8.2.3, = 8.2.4, = 8.2.6, = 8.2.2, = 8.2.15 MEDIUM

When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass.

= 8.0.0, = 8.2.0, = 8.1.0, = 8.0.4, = 8.0.5, = 8.1.10, = 8.1.2, = 8.1.9, = 8.1.5, = 8.1.6, = 8.1.8, = 8.0.6, = 8.1.3, = 8.1.4, = 8.0.1, = 8.0.2, = 8.0.3, = 8.1.1, = 8.1.7, = 8.2.16.8 MEDIUM

A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren't vulnerable, you can remove the <siteroot>/vendor/phpunit directory from your production deployments

= 8.2.5, = 8.2.0, = 8.2.3, = 8.2.4, = 8.2.6, = 8.2.1, = 8.2.25.1 MEDIUM

Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.

= 8.0.0, = 8.2.0, = 8.1.0, = 8.1.10, = 8.1.5, = 8.0.4, = 8.0.5, = 8.1.9, = 8.1.2, = 8.1.6, = 8.1.8, = 8.0.1, = 8.0.6, = 8.1.7, = 8.0.2, = 8.0.3, = 8.2.1, = 8.1.1, = 8.1.3, = 8.1.4, = 8.2.24.3 MEDIUM

The transliterate mechanism in Drupal 8.x before 8.2.3 allows remote attackers to cause a denial of service via a crafted URL.

= 7.0, = 7.40, = 7.16, = 7.21, = 7.18, = 7.15, = 7.12, = 7.27, = 7.34, = 7.35, = 7.10, = 7.17, = 7.41, = 7.13, = 7.20, = 7.3, = 7.30, = 7.38, = 7.11, = 7.19, = 7.2, = 7.28, = 7.42, = 7.43, = 7.1, = 7.24, = 7.25, = 7.26, = 7.32, = 7.33, = 7.14, = 7.29, = 7.36, = 7.37, = 7.44, = 7.50, = 7.22, = 7.23, = 7.31, = 7.4, = 7.514.9 MEDIUM

Confirmation forms in Drupal 7.x before 7.52 make it easier for remote authenticated users to conduct open redirect attacks via unspecified vectors.

= 8.0.0, = 8.2.0, = 8.1.0, = 8.1.6, = 8.1.8, = 8.0.4, = 8.0.5, = 8.1.2, = 8.1.5, = 8.1.10, = 8.1.9, = 8.2.2, = 8.0.2, = 8.1.1, = 8.0.6, = 8.1.3, = 8.1.4, = 8.2.1, = 8.0.1, = 8.0.3, = 8.1.75 MEDIUM

The user password reset form in Drupal 8.x before 8.2.3 allows remote attackers to conduct cache poisoning attacks by leveraging failure to specify a correct cache context.

= 8.0.0, = 8.2.0, = 8.1.0, = 8.0.4, = 8.0.5, = 8.1.2, = 8.1.9, = 8.1.5, = 8.1.10, = 8.1.6, = 8.1.8, = 8.2.1, = 8.1.3, = 8.0.2, = 8.0.3, = 8.1.1, = 8.0.6, = 8.1.4, = 8.2.2, = 8.0.1, = 8.1.7, = 7.0, = 7.40, = 7.16, = 7.21, = 7.18, = 7.15, = 7.10, = 7.34, = 7.41, = 7.17, = 7.30, = 7.12, = 7.13, = 7.20, = 7.27, = 7.35, = 7.3, = 7.38, = 7.1, = 7.19, = 7.25, = 7.26, = 7.32, = 7.33, = 7.42, = 7.23, = 7.24, = 7.31, = 7.4, = 7.11, = 7.2, = 7.28, = 7.36, = 7.43, = 7.44, = 7.14, = 7.22, = 7.29, = 7.37, = 7.50, = 7.514 MEDIUM

The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 might allow remote authenticated users to obtain sensitive information about taxonomy terms by leveraging inconsistent naming of access query tags.

= 8.0.0, = 8.1.0, = 8.1.9, = 8.1.8, = 8.0.4, = 8.1.5, = 8.1.2, = 8.1.6, = 8.0.5, = 8.1.7, = 8.0.1, = 8.0.2, = 8.0.3, = 8.1.3, = 8.0.6, = 8.1.1, = 8.1.44 MEDIUM

The system.temporary route in Drupal 8.x before 8.1.10 does not properly check for "Export configuration" permission, which allows remote authenticated users to bypass intended access restrictions and read a full config export via unspecified vectors.

= 8.0.0, = 8.1.0, = 8.1.5, = 8.0.4, = 8.1.8, = 8.1.9, = 8.1.6, = 8.0.5, = 8.1.2, = 8.1.7, = 8.0.6, = 8.0.1, = 8.0.2, = 8.0.3, = 8.1.3, = 8.1.1, = 8.1.44.3 MEDIUM

Cross-site scripting (XSS) vulnerability in Drupal 8.x before 8.1.10 allows remote attackers to inject arbitrary web script or HTML via vectors involving an HTTP exception.

= 8.0.0, = 8.1.0, = 8.1.9, = 8.0.4, = 8.0.5, = 8.1.8, = 8.1.6, = 8.1.5, = 8.1.2, = 8.1.4, = 8.0.2, = 8.1.1, = 8.0.3, = 8.0.6, = 8.1.7, = 8.1.3, = 8.0.14 MEDIUM

Drupal 8.x before 8.1.10 does not properly check for "Administer comments" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes.

= 7.0, = 7.39, = 7.40, = 7.16, = 7.21, = 7.18, = 7.15, = 7.30, = 7.38, = 7.10, = 7.17, = 7.41, = 7.27, = 7.35, = 7.5, = 7.13, = 7.20, = 7.3, = 7.8, = 7.23, = 7.24, = 7.31, = 7.4, = 7.9, = 7.x-dev, = 7.43, = 7.1, = 7.25, = 7.26, = 7.32, = 7.33, = 7.11, = 7.12, = 7.19, = 7.2, = 7.28, = 7.34, = 7.42, = 7.6, = 7.14, = 7.22, = 7.29, = 7.36, = 7.37, = 7.7, = 8.0.0, = 8.1.0, = 8.0.4, = 8.1.2, = 8.0.5, = 8.0.2, = 8.0.3, = 8.1.1, = 8.0.1, = 8.0.65 MEDIUM

The Views module 7.x-3.x before 7.x-3.14 in Drupal 7.x and the Views module in Drupal 8.x before 8.1.3 might allow remote authenticated users to bypass intended access restrictions and obtain sensitive Statistics information via unspecified vectors.

= 7.0, = 7.39, = 7.40, = 7.16, = 7.21, = 7.18, = 7.13, = 7.3, = 7.8, = 7.15, = 7.30, = 7.38, = 7.10, = 7.17, = 7.41, = 7.20, = 7.27, = 7.35, = 7.5, = 7.14, = 7.22, = 7.29, = 7.36, = 7.37, = 7.7, = 7.23, = 7.24, = 7.31, = 7.4, = 7.9, = 7.x-dev, = 7.43, = 7.1, = 7.25, = 7.26, = 7.32, = 7.33, = 7.42, = 7.11, = 7.12, = 7.19, = 7.2, = 7.28, = 7.34, = 7.66.5 MEDIUM

The User module in Drupal 7.x before 7.44 allows remote authenticated users to gain privileges via vectors involving contributed or custom code that triggers a rebuild of the user profile form.

>= 8.0.0, < 8.1.78.1 HIGH5.1 MEDIUM

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.

= 6.0, = 6.1, = 6.2, = 6.3, = 6.4, = 6.5, = 6.6, = 6.7, = 6.8, = 6.9, = 6.10, = 6.11, = 6.12, = 6.13, = 6.14, = 6.15, = 6.16, = 6.17, = 6.18, = 6.19, = 6.20, = 6.21, = 6.22, = 6.23, = 6.24, = 6.25, = 6.26, = 6.27, = 6.28, = 6.29, = 6.30, = 6.31, = 6.32, = 6.33, = 6.34, = 6.35, = 6.36, = 6.376.8 MEDIUM

Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation.

= 7.0, = 8.0, = 7.39, = 7.40, = 7.16, = 7.21, = 7.41, = 7.18, = 7.17, = 7.38, = 7.3, = 7.15, = 8.0.3, = 8.0.2, = 7.x-dev, = 7.9, = 7.8, = 7.27, = 7.10, = 7.35, = 7.5, = 7.30, = 7.22, = 7.20, = 7.12, = 7.34, = 7.6, = 7.4, = 7.28, = 7.13, = 7.42, = 7.33, = 7.19, = 7.7, = 7.26, = 7.25, = 7.24, = 7.23, = 7.11, = 7.1, = 8.0.1, = 7.37, = 7.29, = 7.14, = 7.36, = 7.25 MEDIUM

The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in.

= 7.0, = 6.0, = 6.33, = 7.40, = 7.16, = 7.21, = 6.14, = 6.13, = 7.18, = 6.2, = 7.41, = 7.38, = 7.3, = 7.15, = 6.24, = 6.18, = 6.25, = 7.x-dev, = 7.9, = 7.8, = 7.28, = 7.27, = 7.12, = 7.10, = 6.30, = 6.12, = 7.35, = 7.34, = 7.20, = 7.17, = 6.4, = 6.36, = 6.35, = 6.22, = 7.5, = 7.13, = 6.8, = 6.32, = 6.26, = 6.11, = 7.6, = 7.4, = 7.30, = 7.22, = 6.7, = 6.27, = 7.32, = 7.7, = 7.26, = 7.25, = 7.11, = 7.1, = 6.37, = 6.3, = 6.29, = 6.28, = 6.15, = 7.37, = 7.36, = 7.2, = 7.19, = 6.5, = 6.21, = 6.20, = 7.31, = 7.33, = 7.23, = 6.6, = 6.34, = 6.16, = 6.1, = 7.42, = 7.29, = 7.24, = 7.14, = 6.9, = 6.31, = 6.23, = 6.19, = 6.17, = 6.106.8 MEDIUM

The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array.

= 7.0, = 6.0, = 6.33, = 7.40, = 7.16, = 7.21, = 7.38, = 6.25, = 6.24, = 7.41, = 7.3, = 7.15, = 6.18, = 6.2, = 6.13, = 7.18, = 6.14, = 7.6, = 7.5, = 7.4, = 7.22, = 7.20, = 6.8, = 6.7, = 6.26, = 7.30, = 7.28, = 7.13, = 7.12, = 6.32, = 6.30, = 7.9, = 7.35, = 7.27, = 7.17, = 7.10, = 6.36, = 6.11, = 7.x-dev, = 7.8, = 7.34, = 6.4, = 6.35, = 6.27, = 6.22, = 6.12, = 7.37, = 7.23, = 6.9, = 6.6, = 6.5, = 6.23, = 6.10, = 6.1, = 7.32, = 7.31, = 7.29, = 7.14, = 6.31, = 6.17, = 6.16, = 6.15, = 7.7, = 7.33, = 7.25, = 7.19, = 6.37, = 6.34, = 6.3, = 6.28, = 6.21, = 7.42, = 7.36, = 7.26, = 7.24, = 7.2, = 7.11, = 7.1, = 6.29, = 6.20, = 6.198.5 HIGH

The System module in Drupal 6.x before 6.38 and 7.x before 7.43 might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content, aka a "reflected file download vulnerability."

= 6.0, = 6.1, = 6.2, = 6.3, = 6.4, = 6.5, = 6.6, = 6.7, = 6.8, = 6.9, = 6.10, = 6.11, = 6.12, = 6.13, = 6.14, = 6.15, = 6.16, = 6.17, = 6.18, = 6.19, = 6.20, = 6.21, = 6.22, = 6.23, = 6.24, = 6.25, = 6.26, = 6.27, = 6.28, = 6.29, = 6.30, = 6.31, = 6.32, = 6.33, = 6.34, = 6.35, = 6.36, = 6.376.4 MEDIUM

Open redirect vulnerability in the drupal_goto function in Drupal 6.x before 6.38, when used with PHP before 5.4.7, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a double-encoded URL in the "destination" parameter.

= 6.0, = 6.33, = 6.2, = 6.14, = 6.24, = 6.13, = 6.25, = 6.30, = 6.4, = 6.36, = 6.22, = 6.7, = 6.35, = 6.27, = 6.19, = 6.12, = 6.8, = 6.32, = 6.26, = 6.18, = 6.11, = 6.31, = 6.3, = 6.29, = 6.28, = 6.16, = 6.15, = 6.6, = 6.5, = 6.23, = 6.21, = 6.20, = 6.9, = 6.17, = 6.10, = 6.37, = 6.34, = 6.14.3 MEDIUM

CRLF injection vulnerability in the drupal_set_header function in Drupal 6.x before 6.38, when used with PHP before 5.1.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by leveraging a module that allows user-submitted data to appear in HTTP headers.

= 6.0, = 6.33, = 6.2, = 6.14, = 6.24, = 6.13, = 6.25, = 6.27, = 6.26, = 6.12, = 6.11, = 6.4, = 6.7, = 6.36, = 6.35, = 6.19, = 6.8, = 6.32, = 6.30, = 6.22, = 6.18, = 6.37, = 6.9, = 6.29, = 6.28, = 6.5, = 6.31, = 6.3, = 6.23, = 6.17, = 6.15, = 6.10, = 6.34, = 6.21, = 6.20, = 6.6, = 6.16, = 6.15 MEDIUM

The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.

= 8.0.0, = 7.0, = 6.0, = 6.33, = 7.40, = 7.16, = 7.38, = 7.21, = 7.15, = 6.24, = 7.18, = 6.2, = 6.14, = 6.13, = 7.5, = 7.3, = 7.13, = 6.32, = 6.18, = 7.41, = 7.35, = 7.34, = 7.17, = 6.4, = 6.36, = 7.9, = 7.8, = 7.6, = 7.27, = 7.10, = 6.12, = 6.11, = 7.30, = 7.20, = 7.12, = 6.25, = 8.0.3, = 8.0.2, = 8.0.1, = 7.32, = 7.x-dev, = 7.28, = 7.2, = 6.8, = 6.6, = 6.30, = 6.22, = 6.16, = 6.1, = 7.42, = 7.33, = 7.19, = 6.35, = 6.34, = 6.21, = 6.19, = 7.7, = 7.26, = 7.25, = 7.24, = 7.23, = 7.11, = 7.1, = 6.37, = 6.29, = 6.28, = 6.27, = 6.26, = 7.31, = 7.4, = 7.37, = 7.29, = 7.22, = 7.14, = 6.7, = 6.5, = 6.31, = 6.3, = 6.23, = 6.17, = 6.15, = 6.10, = 7.36, = 6.20, = 6.95.8 MEDIUM

Drupal 6.x before 6.38, 7.x before 7.43, and 8.x before 8.0.4 might allow remote attackers to conduct open redirect attacks by leveraging (1) custom code or (2) a form shown on a 404 error page, related to path manipulation.

= 7.0, = 6.0, = 6.33, = 7.40, = 7.16, = 7.21, = 6.25, = 6.24, = 6.14, = 7.41, = 7.3, = 7.15, = 6.18, = 7.38, = 7.18, = 6.2, = 6.13, = 7.6, = 7.5, = 7.4, = 7.22, = 6.8, = 6.7, = 6.26, = 7.9, = 7.35, = 7.27, = 7.20, = 7.12, = 7.10, = 6.4, = 6.35, = 6.27, = 6.22, = 6.12, = 7.30, = 7.17, = 7.13, = 6.32, = 6.30, = 7.x-dev, = 7.8, = 7.34, = 7.28, = 6.36, = 6.11, = 7.7, = 7.24, = 7.23, = 6.37, = 6.6, = 6.5, = 6.23, = 6.10, = 6.1, = 7.31, = 7.37, = 7.25, = 7.19, = 6.29, = 6.20, = 6.19, = 7.42, = 7.32, = 7.33, = 7.29, = 7.14, = 6.31, = 6.17, = 6.16, = 6.15, = 7.36, = 7.26, = 7.2, = 7.11, = 7.1, = 6.34, = 6.3, = 6.28, = 6.215 MEDIUM

The XML-RPC system in Drupal 6.x before 6.38 and 7.x before 7.43 might make it easier for remote attackers to conduct brute-force attacks via a large number of calls made at once to the same method.

= 7.0, = 7.40, = 7.16, = 7.21, = 7.18, = 7.15, = 7.35, = 7.17, = 7.8, = 7.27, = 7.10, = 7.41, = 7.5, = 7.38, = 7.3, = 7.13, = 7.6, = 7.30, = 7.20, = 8.0.3, = 8.0.2, = 8.0.1, = 7.37, = 7.36, = 7.34, = 7.2, = 7.19, = 7.x-dev, = 7.9, = 7.7, = 7.28, = 7.26, = 7.25, = 7.12, = 7.11, = 7.1, = 7.31, = 7.33, = 7.23, = 8.0.0, = 7.32, = 7.4, = 7.29, = 7.24, = 7.22, = 7.146.5 MEDIUM

The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files.

all versions5 MEDIUM

The recycle bin feature in the Monster Menus module 7.x-1.21 before 7.x-1.24 for Drupal does not properly remove nodes from view, which allows remote attackers to obtain sensitive information via an unspecified URL pattern.

= 7.0, = 7.16, = 7.21, = 7.18, = 7.15, = 7.12, = 7.20, = 7.27, = 7.17, = 7.30, = 7.6, = 7.10, = 7.34, = 7.35, = 7.8, = 7.13, = 7.3, = 7.38, = 7.5, = 7.11, = 7.2, = 7.28, = 7.36, = 7.37, = 7.x-dev, = 7.23, = 7.24, = 7.33, = 7.7, = 7.1, = 7.19, = 7.25, = 7.26, = 7.9, = 7.14, = 7.22, = 7.29, = 7.44.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Ajax handler in Drupal 7.x before 7.39 and the Ctools module 6.x-1.x before 6.x-1.14 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors involving a whitelisted HTML element, possibly related to the "a" tag.

= 7.0, = 6.0, = 6.33, = 7.16, = 7.21, = 6.2, = 6.12, = 6.24, = 7.15, = 6.13, = 6.14, = 7.38, = 7.18, = 7.3, = 6.18, = 6.25, = 6.32, = 7.17, = 6.11, = 6.27, = 6.28, = 6.35, = 6.30, = 6.7, = 6.22, = 6.36, = 6.4, = 7.12, = 7.13, = 7.20, = 7.27, = 7.28, = 7.x-dev, = 7.10, = 7.11, = 7.34, = 7.35, = 7.8, = 7.9, = 7.22, = 7.4, = 7.5, = 6.1, = 6.19, = 6.26, = 6.8, = 7.30, = 7.33, = 7.6, = 6.20, = 6.34, = 6.15, = 6.16, = 6.17, = 6.23, = 6.31, = 6.6, = 7.14, = 6.21, = 6.29, = 6.3, = 6.5, = 7.2, = 7.37, = 7.1, = 7.19, = 7.25, = 7.26, = 7.36, = 7.29, = 6.10, = 6.9, = 7.23, = 7.24, = 7.75 MEDIUM

Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to obtain sensitive node titles by reading the menu.

= 7.0, = 6.0, = 6.33, = 7.16, = 7.21, = 6.2, = 6.13, = 6.14, = 7.38, = 6.18, = 6.25, = 6.32, = 6.24, = 7.15, = 7.3, = 6.12, = 7.18, = 6.22, = 6.36, = 6.4, = 7.11, = 7.12, = 7.13, = 7.20, = 7.27, = 7.28, = 7.x-dev, = 6.19, = 6.26, = 6.8, = 7.17, = 7.30, = 7.6, = 6.30, = 6.7, = 7.22, = 7.4, = 7.5, = 6.11, = 6.27, = 6.35, = 7.10, = 7.34, = 7.35, = 7.8, = 7.9, = 6.21, = 6.29, = 6.3, = 7.2, = 7.37, = 6.1, = 6.10, = 6.17, = 6.9, = 7.23, = 7.24, = 7.33, = 7.7, = 6.15, = 6.16, = 6.23, = 6.31, = 6.5, = 6.6, = 7.14, = 7.29, = 6.20, = 6.28, = 6.34, = 7.1, = 7.19, = 7.25, = 7.26, = 7.366.8 MEDIUM

The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's account via vectors related to "file upload value callbacks."

= 7.0, = 7.16, = 7.21, = 7.18, = 7.15, = 7.10, = 7.17, = 7.34, = 7.35, = 7.8, = 7.3, = 7.30, = 7.5, = 7.6, = 7.12, = 7.27, = 7.13, = 7.20, = 7.38, = 7.1, = 7.24, = 7.25, = 7.7, = 7.22, = 7.23, = 7.33, = 7.11, = 7.19, = 7.2, = 7.26, = 7.36, = 7.37, = 7.9, = 7.x-dev, = 7.14, = 7.28, = 7.29, = 7.47.5 HIGH

SQL injection vulnerability in the SQL comment filtering system in the Database API in Drupal 7.x before 7.39 allows remote attackers to execute arbitrary SQL commands via an SQL comment.

= 7.0, = 6.0, = 6.33, = 7.16, = 7.21, = 6.2, = 6.12, = 6.18, = 6.24, = 6.25, = 6.32, = 7.15, = 6.13, = 6.14, = 7.18, = 7.3, = 7.38, = 6.11, = 6.19, = 6.26, = 6.27, = 6.35, = 6.7, = 6.8, = 7.22, = 7.30, = 7.5, = 7.6, = 6.36, = 6.4, = 7.11, = 7.12, = 7.27, = 7.28, = 7.9, = 7.x-dev, = 7.10, = 7.17, = 7.34, = 7.35, = 7.8, = 6.22, = 6.30, = 7.13, = 7.20, = 7.4, = 6.34, = 6.9, = 6.1, = 6.10, = 6.17, = 7.23, = 7.33, = 6.20, = 6.21, = 6.28, = 6.29, = 7.19, = 7.2, = 7.36, = 7.37, = 7.1, = 7.24, = 7.25, = 7.26, = 7.7, = 6.15, = 6.16, = 6.23, = 6.3, = 6.31, = 6.5, = 6.6, = 7.14, = 7.294.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Autocomplete system in Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, related to uploading files.

= 7.0, = 6.0, = 6.33, = 7.16, = 7.21, = 6.2, = 7.18, = 7.17, = 6.13, = 6.14, = 7.15, = 7.3, = 6.12, = 6.18, = 6.24, = 6.25, = 6.32, = 7.10, = 7.11, = 7.35, = 7.9, = 7.33, = 7.34, = 7.8, = 6.28, = 6.4, = 6.22, = 6.30, = 6.7, = 7.22, = 7.30, = 7.5, = 7.6, = 6.11, = 6.19, = 6.26, = 6.27, = 6.35, = 7.12, = 7.13, = 7.20, = 7.27, = 7.28, = 7.4, = 6.1, = 6.8, = 7.19, = 7.25, = 7.26, = 7.36, = 7.1, = 7.23, = 7.24, = 7.7, = 6.20, = 6.21, = 6.29, = 6.5, = 6.15, = 6.16, = 6.23, = 6.3, = 6.31, = 6.6, = 7.14, = 7.29, = 6.34, = 7.2, = 7.37, = 6.10, = 6.17, = 6.94.3 MEDIUM

The OpenID module in Drupal 6.x before 6.36 and 7.x before 7.38 allows remote attackers to log into other users' accounts by leveraging an OpenID identity from certain providers, as demonstrated by the Verisign, LiveJournal, and StackExchange providers.

= 7.0, = 7.16, = 7.21, = 7.18, = 7.15, = 7.12, = 7.13, = 7.20, = 7.27, = 7.17, = 7.34, = 7.8, = 7.3, = 7.30, = 7.5, = 7.6, = 7.10, = 7.35, = 7.9, = 7.14, = 7.2, = 7.28, = 7.37, = 7.4, = 7.1, = 7.23, = 7.24, = 7.33, = 7.7, = 7.22, = 7.29, = 7.11, = 7.19, = 7.25, = 7.26, = 7.365.8 MEDIUM

Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.38 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

= 7.0, = 7.16, = 7.21, = 7.18, = 7.15, = 7.10, = 7.27, = 7.35, = 7.9, = 7.3, = 7.30, = 7.5, = 7.6, = 7.17, = 7.34, = 7.8, = 7.12, = 7.13, = 7.20, = 7.11, = 7.19, = 7.26, = 7.36, = 7.14, = 7.22, = 7.23, = 7.1, = 7.24, = 7.25, = 7.33, = 7.7, = 7.2, = 7.28, = 7.29, = 7.37, = 7.45.8 MEDIUM

Open redirect vulnerability in the Field UI module in Drupal 7.x before 7.38 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destinations parameter.

= 7.0, = 7.16, = 7.21, = 7.18, = 7.15, = 7.17, = 7.30, = 7.8, = 7.13, = 7.3, = 7.5, = 7.6, = 7.12, = 7.20, = 7.27, = 7.10, = 7.34, = 7.35, = 7.9, = 7.23, = 7.24, = 7.33, = 7.7, = 7.11, = 7.14, = 7.22, = 7.29, = 7.4, = 7.2, = 7.28, = 7.36, = 7.37, = 7.1, = 7.19, = 7.25, = 7.264 MEDIUM

The Render cache system in Drupal 7.x before 7.38, when used to cache content by user role, allows remote authenticated users to obtain private content viewed by user 1 by reading the cache.

>= 6.0, < 6.35, >= 7.0, < 7.353.5 LOW

Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL.

>= 7.0, < 7.866.1 MEDIUM4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.

>= 7.0, < 7.345 MEDIUM

The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request.

>= 6.0, < 6.34, >= 7.0, < 7.346.8 MEDIUM

Drupal 6.x before 6.34 and 7.x before 7.34 allows remote attackers to hijack sessions via a crafted request, as demonstrated by a crafted request to a server that supports both HTTP and HTTPS sessions.

>= 7.0, < 7.327.5 HIGH

The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.

= 7.0, = 6.0, = 7.16, = 7.21, = 6.2, = 7.18, = 6.24, = 7.17, = 6.14, = 6.13, = 7.8, = 6.32, = 6.25, = 6.18, = 7.3, = 7.15, = 6.12, = 7.6, = 7.5, = 7.19, = 7.10, = 6.30, = 6.17, = 7.4, = 7.30, = 6.8, = 6.7, = 6.22, = 6.21, = 7.9, = 7.28, = 7.27, = 7.20, = 7.12, = 7.11, = 6.4, = 6.26, = 6.19, = 6.1, = 7.22, = 7.13, = 6.5, = 6.28, = 6.27, = 6.11, = 7.26, = 7.25, = 7.1, = 6.31, = 6.23, = 6.16, = 7.24, = 7.23, = 6.9, = 6.3, = 6.29, = 6.15, = 7.7, = 7.2, = 6.10, = 7.29, = 7.14, = 6.6, = 6.206.8 MEDIUM

modules/openid/xrds.inc in Drupal 6.x before 6.33 and 7.x before 7.31 allows remote attackers to have unspecified impact via a crafted DOCTYPE declaration in an XRDS document.

= 7.0, = 6.0, = 7.16, = 7.21, = 6.2, = 7.17, = 7.18, = 7.8, = 6.12, = 6.13, = 7.15, = 7.3, = 6.14, = 6.24, = 6.32, = 6.18, = 6.25, = 7.30, = 7.19, = 7.5, = 7.6, = 6.11, = 6.26, = 6.27, = 6.28, = 7.13, = 7.28, = 7.x-dev, = 6.1, = 6.22, = 6.30, = 7.10, = 7.11, = 7.27, = 6.19, = 6.21, = 6.8, = 6.7, = 7.12, = 7.20, = 7.22, = 7.4, = 7.9, = 6.17, = 6.4, = 7.2, = 7.7, = 6.10, = 6.29, = 7.23, = 6.16, = 6.5, = 7.1, = 7.24, = 7.25, = 7.26, = 6.20, = 6.9, = 6.6, = 7.14, = 7.29, = 6.15, = 6.23, = 6.3, = 6.315 MEDIUM

The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

= 7.0, = 6.0, = 7.16, = 7.21, = 6.2, = 7.15, = 7.3, = 7.17, = 7.18, = 7.8, = 6.12, = 6.13, = 6.14, = 6.18, = 6.24, = 6.32, = 6.25, = 7.30, = 7.13, = 7.28, = 7.5, = 7.x-dev, = 6.1, = 7.19, = 7.6, = 7.9, = 6.11, = 6.26, = 6.27, = 6.28, = 7.10, = 7.11, = 7.12, = 7.27, = 6.19, = 6.21, = 6.8, = 6.7, = 6.22, = 6.30, = 7.20, = 7.22, = 7.4, = 6.17, = 6.4, = 7.23, = 7.2, = 7.7, = 6.10, = 6.29, = 7.1, = 7.24, = 7.25, = 7.26, = 6.20, = 6.9, = 6.6, = 6.5, = 6.16, = 7.14, = 7.29, = 6.15, = 6.23, = 6.3, = 6.315 MEDIUM

The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265.

= 7.0, = 7.16, = 7.21, = 7.18, = 7.15, = 7.17, = 7.5, = 7.6, = 7.8, = 7.13, = 7.3, = 7.10, = 7.12, = 7.20, = 7.27, = 7.4, = 7.9, = 7.7, = 7.28, = 7.1, = 7.22, = 7.23, = 7.24, = 7.25, = 7.11, = 7.2, = 7.26, = 7.x-dev, = 7.14, = 7.19, = 6.0, = 6.2, = 6.14, = 6.24, = 6.13, = 6.25, = 6.18, = 6.1, = 6.11, = 6.12, = 6.26, = 6.27, = 6.28, = 6.17, = 6.19, = 6.4, = 6.7, = 6.21, = 6.8, = 6.22, = 6.30, = 6.10, = 6.20, = 6.5, = 6.6, = 6.15, = 6.23, = 6.3, = 6.31, = 6.16, = 6.29, = 6.92.1 LOW

Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via an option group label.

= 7.0, = 7.16, = 7.21, = 7.18, = 7.15, = 7.10, = 7.12, = 7.13, = 7.27, = 7.3, = 7.4, = 7.20, = 7.9, = 7.6, = 7.8, = 7.17, = 7.5, = 7.11, = 7.26, = 7.19, = 7.2, = 7.x-dev, = 7.1, = 7.14, = 7.22, = 7.24, = 7.28, = 7.23, = 7.25, = 7.74.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Ajax system in Drupal 7.x before 7.29 allows remote attackers to inject arbitrary web script or HTML via vectors involving forms with an Ajax-enabled textfield and a file field.

= 7.0, = 7.16, = 7.21, = 7.18, = 7.15, = 7.12, = 7.13, = 7.3, = 7.4, = 7.5, = 7.6, = 7.20, = 7.8, = 7.10, = 7.17, = 7.27, = 7.9, = 7.14, = 7.22, = 7.23, = 7.1, = 7.11, = 7.2, = 7.24, = 7.26, = 7.x-dev, = 7.28, = 7.19, = 7.25, = 7.74.9 MEDIUM

The File module in Drupal 7.x before 7.29 does not properly check permissions to view files, which allows remote authenticated users with certain permissions to bypass intended restrictions and read files by attaching the file to content with a file field.

= 7.0, = 7.16, = 7.21, = 7.18, = 7.15, = 7.10, = 7.12, = 7.27, = 7.17, = 7.8, = 7.9, = 7.13, = 7.3, = 7.5, = 7.20, = 7.4, = 7.6, = 7.28, = 7.1, = 7.11, = 7.24, = 7.25, = 7.26, = 7.19, = 7.2, = 7.x-dev, = 7.23, = 7.7, = 7.14, = 7.22, = 6.0, = 6.2, = 6.14, = 6.24, = 6.13, = 6.25, = 6.18, = 6.11, = 6.12, = 6.27, = 6.28, = 6.21, = 6.22, = 6.7, = 6.8, = 6.17, = 6.19, = 6.1, = 6.26, = 6.30, = 6.4, = 6.29, = 6.3, = 6.20, = 6.6, = 6.9, = 6.10, = 6.15, = 6.23, = 6.31, = 6.5, = 6.165 MEDIUM

The multisite feature in Drupal 6.x before 6.32 and 7.x before 7.29 allows remote attackers to cause a denial of service via a crafted HTTP Host header, related to determining which configuration file to use.

all versions5 MEDIUM

The Google Authenticator login module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal does not properly identify user account names, which might allow remote attackers to bypass the two-factor authentication requirement via unspecified vectors.

all versions5 MEDIUM

The Google Authenticator login module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to obtain access by replaying the username, password, and one-time password (OTP).

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the MediaFront module 6.x-1.x before 6.x-1.6, 7.x-1.x before 7.x-1.6, and 7.x-2.x before 7.x-2.1 for Drupal allows remote authenticated users with the "administer mediafront" permission to inject arbitrary web script or HTML via the preset settings.

all versions2.1 LOW

The Spaces OG submodule in the Spaces module 6.x-3.x before 6.x-3.7 for Drupal does not properly delete organic group group spaces content when using the option to move to a new group, which causes the content to be "orphaned" and allows remote authenticated users with the "access content" permission to obtain sensitive information via vectors involving a rebuild access for the site or content.

all versions4 MEDIUM

The FileField Sources module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.9 for Drupal does not properly check file permissions, which allows remote authenticated users to read arbitrary files by attaching a file.

all versions2.6 LOW

The Monster Menus module 7.x-1.x before 7.x-1.15 allows remote attackers to read arbitrary node comments via a crafted URL.

all versions6.8 MEDIUM

Session fixation vulnerability in the Ubercart module 6.x-2.x before 6.x-2.13 and 7.x-3.x before 7.x-3.6 for Drupal, when the "Log in new customers after checkout" option is enabled, allows remote attackers to hijack web sessions by leveraging knowledge of the original session ID.

>= 7.0, < 7.27, >= 6.0, < 6.315 MEDIUM

Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors.

all versions4.3 MEDIUM

The RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.3 and 7.x-2.x before 7.x-2.0-alpha5 for Drupal, when page caching is enabled and anonymous users are assigned RESTWS permissions, allows remote attackers to cause a denial of service via a GET request with an HTTP Accept header set to a non-HTML type, which can "interfere with Drupal's page cache."

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the jQuery Countdown module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "access administration pages" permission to inject arbitrary web script or HTML via unspecified vectors.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Anonymous Posting module 7.x-1.2 and 7.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via the contact name field.

= 7.144.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the EventCalendar module for Drupal 7.14 allows remote attackers to inject arbitrary web script or HTML via the year parameter to eventcalander/. NOTE: this issue has been disputed by the Drupal Security Team; it may be site-specific. If so, then this CVE will be REJECTed in the future

= 7.0, = 7.16, = 7.21, = 7.18, = 7.15, = 7.10, = 7.11, = 7.19, = 7.22, = 7.17, = 7.24, = 7.12, = 7.13, = 7.20, = 7.2, = 7.14, = 7.23, = 7.14 MEDIUM

The Taxonomy module in Drupal 7.x before 7.26, when upgraded from an earlier version of Drupal, does not properly restrict access to unpublished content, which allows remote authenticated users to obtain sensitive information via a listing page.

= 7.0, = 7.16, = 7.21, = 7.18, = 7.15, = 7.10, = 7.19, = 7.13, = 7.22, = 7.11, = 7.12, = 7.20, = 7.17, = 7.24, = 7.1, = 7.14, = 7.2, = 7.23, = 6.0, = 6.2, = 6.14, = 6.24, = 6.13, = 6.25, = 6.18, = 6.11, = 6.12, = 6.19, = 6.26, = 6.27, = 6.22, = 6.21, = 6.28, = 6.1, = 6.10, = 6.17, = 6.15, = 6.16, = 6.23, = 6.207.5 HIGH

The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors.

= 7.0, = 7.16, = 7.18, = 7.15, = 7.10, = 7.9, = 7.x-dev, = 7.5, = 7.6, = 7.17, = 7.8, = 7.11, = 7.12, = 7.13, = 7.3, = 7.4, = 7.1, = 7.2, = 7.14, = 7.7, = 6.0, = 6.2, = 6.14, = 6.24, = 6.13, = 6.25, = 6.18, = 6.21, = 6.4, = 6.5, = 6.11, = 6.12, = 6.19, = 6.26, = 6.27, = 6.1, = 6.10, = 6.17, = 6.8, = 6.22, = 6.7, = 6.20, = 6.3, = 6.9, = 6.15, = 6.16, = 6.23, = 6.62.6 LOW

Cross-site scripting (XSS) vulnerability in Drupal 6.x before 6.28 and 7.x before 7.19, when running with older versions of jQuery that are vulnerable to CVE-2011-4969, allows remote attackers to inject arbitrary web script or HTML via vectors involving unspecified Javascript functions that are used to select DOM elements.

= 7.0, = 7.16, = 7.21, = 7.18, = 7.15, = 7.17, = 7.3, = 7.4, = 7.10, = 7.5, = 7.6, = 7.12, = 7.13, = 7.20, = 7.8, = 7.9, = 7.x-dev, = 7.1, = 7.11, = 7.19, = 7.2, = 7.7, = 7.14, = 7.22, = 7.234.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Color module in Drupal 7.x before 7.24 allows remote attackers to inject arbitrary web script or HTML via vectors related to CSS.

= 7.0, = 7.16, = 7.21, = 7.18, = 7.15, = 7.17, = 7.3, = 7.x-dev, = 7.10, = 7.4, = 7.5, = 7.12, = 7.13, = 7.20, = 7.6, = 7.8, = 7.9, = 7.23, = 7.1, = 7.11, = 7.19, = 7.2, = 7.7, = 7.14, = 7.222.1 LOW

Cross-site scripting (XSS) vulnerability in the Image module in Drupal 7.x before 7.24 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the description field.

all versions5.8 MEDIUM

The OG Features module 6.x-1.x before 6.x-1.4 for Drupal does not properly override pages that have an access callback set to false, which allows remote attackers to bypass intended access restrictions via a request.

= 6.0, = 6.2, = 6.14, = 6.24, = 6.13, = 6.25, = 6.18, = 6.1, = 6.17, = 6.19, = 6.26, = 6.7, = 6.8, = 6.21, = 6.11, = 6.12, = 6.27, = 6.28, = 6.22, = 6.4, = 6.5, = 6.10, = 6.20, = 6.9, = 6.3, = 6.15, = 6.16, = 6.23, = 6.6, = 7.0, = 7.16, = 7.21, = 7.18, = 7.15, = 7.10, = 7.9, = 7.x-dev, = 7.12, = 7.13, = 7.3, = 7.4, = 7.5, = 7.6, = 7.20, = 7.17, = 7.8, = 7.11, = 7.19, = 7.2, = 7.23, = 7.22, = 7.14, = 7.1, = 7.75.1 MEDIUM

The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used with unspecified third-party modules, performs form validation even when CSRF validation has failed, which might allow remote attackers to trigger application-specific impacts such as arbitrary code execution via application-specific vectors.

= 7.0, = 7.16, = 7.21, = 7.18, = 7.15, = 7.12, = 7.x-dev, = 7.13, = 7.3, = 7.4, = 7.5, = 7.6, = 7.20, = 7.10, = 7.17, = 7.8, = 7.9, = 7.11, = 7.19, = 7.2, = 7.23, = 7.14, = 7.22, = 7.7, = 7.1, = 6.0, = 6.2, = 6.14, = 6.24, = 6.13, = 6.25, = 6.18, = 6.21, = 6.22, = 6.4, = 6.17, = 6.5, = 6.1, = 6.19, = 6.26, = 6.7, = 6.8, = 6.11, = 6.12, = 6.27, = 6.28, = 6.15, = 6.3, = 6.16, = 6.23, = 6.6, = 6.10, = 6.20, = 6.96.8 MEDIUM

Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand function to generate random numbers, which uses predictable seeds and allows remote attackers to predict security strings and bypass intended restrictions via a brute force attack.

= 7.0, = 7.16, = 7.21, = 7.18, = 7.15, = 7.20, = 7.17, = 7.8, = 7.5, = 7.6, = 7.10, = 7.9, = 7.x-dev, = 7.12, = 7.13, = 7.3, = 7.4, = 7.23, = 7.22, = 7.1, = 7.7, = 7.11, = 7.19, = 7.2, = 7.145.8 MEDIUM

Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.24 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

all versions6.8 MEDIUM

The _json_decode function in plugins/context_reaction_block.inc in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal, when using a version of PHP that does not support the json_decode function, allows remote attackers to execute arbitrary PHP code via unspecified vectors related to Ajax operations, possibly involving eval injection.

all versions4.9 MEDIUM

The json rendering functionality in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal uses Drupal's token scheme to restrict access to blocks, which makes it easier for remote authenticated users to guess the access token for a block by leveraging the token from a block to which the user has access.

= 7.0, = 6.0, = 6.2, = 6.14, = 7.8, = 7.3, = 6.12, = 6.13, = 7.6, = 7.5, = 6.11, = 6.18, = 7.10, = 7.9, = 7.7, = 6.1, = 6.16, = 6.17, = 7.4, = 6.20, = 6.10, = 6.19, = 7.x-dev, = 7.2, = 7.1, = 7.x, = 6.15, = 6.21, = 6.22, = 6.236.8 MEDIUM

Drupal 6.x before 6.23 and 7.x before 7.11 does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack.

= 7.0, = 7.3, = 7.4, = 7.5, = 7.6, = 7.7, = 7.8, = 7.x-dev, = 7.10, = 7.2, = 7.9, = 7.13.5 LOW

The File module in Drupal 7.x before 7.11, when using unspecified field access modules, allows remote authenticated users to read arbitrary private files that are associated with restricted fields via unspecified vectors.

= 6.0, = 6.2, = 6.14, = 6.13, = 6.18, = 6.12, = 6.6, = 6.7, = 6.11, = 6.17, = 6.8, = 6.15, = 6.21, = 6.22, = 6.4, = 6.5, = 6.1, = 6.10, = 6.19, = 6.20, = 6.3, = 6.16, = 6.9, = 7.0, = 7.3, = 7.5, = 7.6, = 7.2, = 7.9, = 7.x-dev, = 7.1, = 7.7, = 7.8, = 7.4, = 7.106.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Aggregator module in Drupal 6.x before 6.23 and 7.x before 7.11 allows remote attackers to hijack the authentication of unspecified victims for requests that update feeds and possibly cause a denial of service (loss of updates due to rate limit) via unspecified vectors.

all versions6.4 MEDIUM

The Make Meeting Scheduler module 6.x-1.x before 6.x-1.3 for Drupal allows remote attackers to bypass intended access restrictions for a poll via a direct request to the node's URL instead of the hashed URL.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in Google Site Search module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.10 for Drupal allows remote attackers to inject arbitrary web script or HTML by causing crafted data to be returned by the Google API.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the administration page in the Flag module 7.x-3.x before 7.x-3.1 for Drupal allows remote authenticated users with the "Administer flags" permission to inject arbitrary web script or HTML via the flag title.

all versions5 MEDIUM

The Node View Permissions module 7.x-1.x before 7.x-1.2 for Drupal does not properly implement the hook_query_alter function, which might allow remote attackers to obtain sensitive information by reading a node listing.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Click2Sell Suite module 6.x-1.x for Drupal allows remote attackers to hijack the authentication of administrators for requests that delete database information via vectors involving the Drupal Form API.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Click2Sell Suite module 6.x-1.x for Drupal allows remote attackers to inject arbitrary web script or HTML via a confirmation form.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the password_policy_admin_view function in password_policy.admin.inc in the Password Policy module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.5 for Drupal allows remote authenticated users with the "Administer policies" permission to inject arbitrary web script or HTML via the "Password Expiration Warning" field to the admin/config/people/password_policy/add page.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the Hatch theme 7.x-1.x before 7.x-1.4 for Drupal allows remote authenticated users with the "Administer content," "Create new article," or "Edit any article type content" permission to inject arbitrary web script or HTML via unspecified vectors.

all versions5.8 MEDIUM

The Node access user reference module 6.x-3.x before 6.x-3.5 and 7.x-3.x before 7.x-3.10 for Drupal does not properly restrict access to content containing a user reference field when the author update/delete grants are enabled and the author's user account is deleted, which allows remote attackers to modify the content via unspecified vectors.

all versions4.3 MEDIUM

The BOTCHA Spam Prevention module 7.x-1.x before 7.x-1.6, 7.x-2.x before 7.x-2.1, and 7.x-3.x before 7.x-3.3 for Drupal, when the debugging level is set to 5 or 6, logs the content of submitted forms, which allows context-dependent users to obtain sensitive information such as usernames and passwords by reading the log file.

all versions4.3 MEDIUM

The Login Security module 6.x-1.x before 6.x-1.3 and 7.x-1.x before 7.x-1.3 for Drupal, when using the login delay option, allows remote attackers to cause a denial of service (CPU consumption) via a large number of failed login attempts.

all versions7.5 HIGH

The Fast Permissions Administration module 6.x-2.x before 6.x-2.5 and 7.x-2.x before 7.x-2.3 for Drupal does not properly restrict access to the modal content callback, which allows remote attackers to obtain unspecified access to the permissions edit form.

all versions5 MEDIUM

The Stage File Proxy module 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to cause a denial of service (file operations performance degradation and failure) via a large number of requests.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the Imagemenu module 6.x-1.x before 6.x-1.4 for Drupal allows remote authenticated users with the "administer imagemenu" permission to inject arbitrary web script or HTML via an image file name.

all versions6 MEDIUM

The mm_webform submodule in the Monster Menus module 6.x-6.x before 6.x-6.61 and 7.x-1.x before 7.x-1.13 for Drupal does not properly restrict access to webform submissions, which allows remote authenticated users with the "Who can read data submitted to this webform" permission to delete arbitrary submissions via unspecified vectors.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the Monster Menus module 7.x-1.x before 7.x-1.12 for Drupal allows remote authenticated users with permissions to add pages to inject arbitrary web script or HTML via a title in the page settings.

all versions2.6 LOW

Cross-site scripting (XSS) vulnerability in the Spambot module 6.x-3.x before 6.x-3.2 and 7.x-1.x before 7.x-1.1 for Drupal allows certain remote attackers to inject arbitrary web script or HTML via a stopforumspam.com API response, which is logged by the watchdog.

all versions2.6 LOW

Cross-site scripting (XSS) vulnerability in the Resource Manager in the MEE submodule (mee.module) in the Scald module 6.x-1.x before 6.x-1.0-beta3 and 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via the atom title, a different vector than CVE-2013-4174.

all versions4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the Scald module 7.x-1.x before 7.x-1.1 for Drupal allow remote attackers to inject arbitrary web script or HTML via the (1) flash_uri, (2) flash_width, or (3) flash_height in the scald_flash_scald_prerender function in providers/scald_flash/scald_flash.module; or the (4) caption in the scald_image_scald_prerender function in providers/scald_image/scald_image.module.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the TinyBox (Simple Splash) module before 7.x-2.2 for Drupal allows remote authenticated users with the "administer tinybox" permission to inject arbitrary web script or HTML via unspecified vectors.

all versions5 MEDIUM

The Commons Wikis module before 7.x-3.1 for Drupal, as used in the Commons module before 7.x-3.1, does not properly restrict access to groups, which allows remote attackers to post arbitrary content to groups via unspecified vectors.

all versions5 MEDIUM

The Edit Limit module 7.x-1.x before 7.x-1.3 for Drupal does not properly restrict access to comments, which allows remote authenticated users with the "edit comments" permission to edit arbitrary comments of other users via unspecified vectors.

= 6.0, = 6.2, = 6.14, = 6.24, = 6.13, = 6.25, = 6.18, = 6.27, = 6.22, = 6.21, = 6.7, = 6.26, = 6.8, = 6.10, = 6.4, = 6.12, = 6.19, = 6.17, = 6.5, = 6.1, = 6.11, = 6.15, = 6.23, = 6.6, = 6.20, = 6.16, = 6.9, = 6.3, = 7.0, = 7.16, = 7.18, = 7.15, = 7.17, = 7.x-dev, = 7.3, = 7.8, = 7.11, = 7.13, = 7.6, = 7.9, = 7.4, = 7.12, = 7.5, = 7.10, = 7.14, = 7.2, = 7.1, = 7.72.1 LOW

The printer friendly version functionality in the Book module in Drupal 6.x before 6.28 and 7.x before 7.19 does not properly restrict access to node that are part of a book outline, which allows remote authenticated users with the "access printer-friendly version" permission to read node titles and possibly node content via unspecified vectors.

= 7.0, = 7.16, = 7.18, = 7.15, = 7.5, = 7.4, = 7.6, = 7.x-dev, = 7.12, = 7.9, = 7.11, = 7.17, = 7.13, = 7.3, = 7.8, = 7.10, = 7.2, = 7.1, = 7.7, = 7.144.3 MEDIUM

The Image module in Drupal 7.x before 7.19, when a private file system is used, does not properly restrict access to derivative images, which allows remote attackers to read derivative images of otherwise restricted images via unspecified vectors.

all versions5 MEDIUM

The Commons Group module before 7.x-3.1 for Drupal, as used in the Commons module before 7.x-3.1, does not properly restrict access to groups, which allows remote attackers to post arbitrary content to groups via unspecified vectors.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Services module 6.x-3.x and 7.x-3.x before 7.x-3.4 for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the PRH Search module 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers from certain sources to inject arbitrary web script or HTML via unspecified vectors.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Exposed Filter Data module 6.x-1.x before 6.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Fonecta verify module 7.x-1.x before 7.x-1.6 for Drupal allows remote attackers from certain sources to inject arbitrary web script or HTML via unspecified vectors.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the MP3 Player module for Drupal 6.x allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the file name of a MP3 file.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Apache Solr Autocomplete module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors involving autocomplete results.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Display Suite module 7.x-1.x before 7.x-1.7 and 7.x-2.x before 7.x-2.3 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via an entity bundle label.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Filebrowser module 6.x-2.x before 6.x-2.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to "lists of files."

all versions4.3 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the elFinder file manager module 6.x-0.x before 6.x-0.8 and 7.x-0.x before 7.x-0.8 for Drupal allows remote attackers to hijack the authentication of unspecified victims to create, modify, or delete files via unknown vectors.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Rules module 7.x-2.x before 7.x-2.3 for Drupal allows remote authenticated users with the "administer rules" permission to inject arbitrary web script or HTML via a rule tag.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Webform module 6.x-3.x before 6.x-3.19 for Drupal allows remote authenticated users with the "edit own webform content" or "edit all webform content" permissions to inject arbitrary web script or HTML via a component label.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the phptemplate_preprocess_node function in template.php in the Inf08 theme 6.x-1.x before 6.x-1.10 for Drupal allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via a taxonomy vocabulary name.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Zero Point theme 7.x-1.x before 7.x-1.9 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the CurvyCorners module 6.x-1.x and 7.x-1.x for Drupal allows remote authenticated users with the "administer curvycorners" permission to inject arbitrary web script or HTML via unspecified vectors.

all versions2.1 LOW

Multiple cross-site scripting (XSS) vulnerabilities in the Views module 7.x-3.x before 7.x-3.6 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via certain view configuration fields.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the admin view in the Search API (search_api) module 7.x-1.x before 7.x-1.4 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a crafted field name.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Clean Theme before 7.x-1.3 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Company theme before 7.x-1.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Premium Responsive theme before 7.x-1.6 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.

all versions6.4 MEDIUM

The Node Parameter Control module 6.x-1.x for Drupal does not properly restrict access to the configuration options, which allows remote attackers to read and edit configuration options via unspecified vectors.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Simple Corporate theme before 7.x-1.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the Creative Theme 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via vectors related to social icons.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Yandex.Metrics module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors related to the Yandex.Metrica service data.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the Rendered links formatter in the Menu Reference module 7.x-1.x before 7.x-1.0 for Drupal allows remote authenticated users with the "Administer menus and menu items" permission to inject arbitrary web script or HTML via the menu link title.

all versions4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the Varnish module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.0-beta2 for Drupal allow remote attackers to inject arbitrary web script or HTML via crafted a (1) Watchdog message or (2) admin setting.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Fresh theme before 7.x-1.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the Best Responsive Theme 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via vectors related to social icons.

all versions2.1 LOW

Unspecified vulnerability in the Drush Debian Packaging module for Drupal allows local users to obtain database credentials via unknown vectors.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in Views in the Ubercart module 7.x-3.x before 7.x-3.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via the full name field.

all versions5 MEDIUM

The Payment module 7.x-1.x before 7.x-1.3 for Drupal does not properly restrict access to payments, which allows remote attackers to read arbitrary payments.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in Views in the Ubercart Views (uc_views) module 6.x before 6.x-3.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via the full name field.

all versions5.1 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Taxonomy Manager (taxonomy_manager) module 6.x-2.x before 6.x-2.2 and 7.x-1.x before 7.x-1.0-rc1 for Drupal allows remote attackers to hijack the authentication of users with 'administer taxonomy' permissions via unspecified vectors.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Display Suite module 7.x-1.x before 7.x-1.7 and 7.x-2.x before 7.x-2.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via the author field.

all versions10 HIGH

The admin page in the Banckle Chat module for Drupal does not properly restrict access, which allows remote attackers to bypass intended restrictions via unspecified vectors.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Manager Change for Organic Groups (og_manager_change) module 7.x-2.x before 7.x-2.1 for Drupal might allow remote attackers to inject arbitrary web script or HTML via the username in the new manager autocomplete field.

= 7.0, = 7.16, = 7.18, = 7.15, = 7.9, = 7.10, = 7.17, = 7.11, = 7.12, = 7.13, = 7.4, = 7.5, = 7.6, = 7.3, = 7.8, = 7.x-dev, = 7.2, = 7.19, = 7.14, = 7.7, = 7.15 MEDIUM

The Image module in Drupal 7.x before 7.20 allows remote attackers to cause a denial of service (CPU and disk space consumption) via a large number of new derivative requests.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Professional theme before 7.x-1.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the Responsive Blog Theme 7.x-1.x before 7.x-1.6 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via vectors related to social icons.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the 3 slide gallery in page--front.tpl.php in the Business theme before 7.x-1.8 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.

all versions5 MEDIUM

The email2image module 6.x-1.x and 6.x-2.x for Drupal does not properly restrict access to nodes, which allows remote attackers to read images of user email addresses and email fields.

all versions6.8 MEDIUM

The Google Authenticator login (ga_login) module 7.x before 7.x-1.3 for Drupal, when multi-factor authentication is enabled, allows remote attackers to bypass authentication for accounts without an associated Google Authenticator token by logging in with the username.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the Boxes module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with administer or edit boxes permissions to inject arbitrary web script or HTML via the subject parameter.

all versions2.6 LOW

Cross-site scripting (XSS) vulnerability in Views in the Search API (search_api) module 7.x-1.x before 7.x-1.4 for Drupal, when using certain backends and facets, allows remote attackers to inject arbitrary web script or HTML via unspecified input, which is returned in an error message.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the User Relationships module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.0-alpha5 for Drupal allows remote authenticated users with the "administer user relationships" permission to inject arbitrary web script or HTML via a relationship name.

all versions4.4 MEDIUM

The Video module 7.x-2.x before 7.x-2.9 for Drupal, when using the FFmpeg transcoder, allows local users to execute arbitrary PHP code by modifying a temporary PHP file.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Mark Complete module 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

all versions6 MEDIUM

Unrestricted file upload vulnerability in the Live CSS module 6.x-2.x before 6.x-2.1 and 7.x-2.x before 7.x-2.7 for Drupal allows remote authenticated users with the "administer CSS" permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the Search API Sorts module 7.x-1.x before 7.x-1.4 for Drupal allows remote authenticated users with certain roles to inject arbitrary web script or HTML via unspecified field labels.

>= 7.0, <= 7.826.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the RESTful Web Services (restws) module 7.x-1.x before 7.x-1.2 and 7.x-2.x before 7.x-2.0-alpha4 for Drupal allows remote attackers to hijack the authentication of arbitrary users via unknown vectors.

all versions5 MEDIUM

The Context module 6.x-3.x before 6.x-3.1 and 7.x-3.x before 7.x-3.0-beta6 for Drupal does not properly restrict access to block content, which allows remote attackers to obtain sensitive information via a crafted request.

all versions4.3 MEDIUM

The Nodewords: D6 Meta Tags module before 6.x-1.14 for Drupal, when configured to automatically generate description meta tags from node text, does not properly filter node content when creating tags, which might allow remote attackers to obtain sensitive information by reading the (1) description, (2) dc.description or (3) og:description meta tags.

= 7.0, = 7.16, = 7.15, = 7.3, = 7.8, = 7.5, = 7.4, = 7.17, = 7.13, = 7.12, = 7.11, = 7.10, = 7.x-dev, = 7.6, = 7.9, = 7.1, = 7.14, = 7.2, = 7.7, = 6.0, = 6.2, = 6.14, = 6.24, = 6.13, = 6.25, = 6.18, = 6.4, = 6.17, = 6.8, = 6.1, = 6.26, = 6.22, = 6.21, = 6.10, = 6.5, = 6.23, = 6.11, = 6.7, = 6.19, = 6.12, = 6.9, = 6.16, = 6.3, = 6.6, = 6.20, = 6.156 MEDIUM

The file upload feature in Drupal 6.x before 6.27 and 7.x before 7.18 allows remote authenticated users to bypass the protection mechanism and execute arbitrary PHP code via a null byte in a file name.

= 6.0, = 6.2, = 6.14, = 6.24, = 6.13, = 6.25, = 6.18, = 6.11, = 6.19, = 6.4, = 6.12, = 6.26, = 6.5, = 6.23, = 6.8, = 6.7, = 6.1, = 6.22, = 6.21, = 6.10, = 6.17, = 6.6, = 6.20, = 6.16, = 6.15, = 6.9, = 6.35 MEDIUM

Drupal 6.x before 6.27 allows remote attackers to obtain sensitive information about uploaded files via a (1) RSS feed or (2) search result.

= 6.0, = 6.2, = 6.14, = 6.24, = 6.13, = 6.25, = 6.18, = 6.10, = 6.5, = 6.23, = 6.4, = 6.17, = 6.11, = 6.7, = 6.19, = 6.12, = 6.8, = 6.1, = 6.26, = 6.22, = 6.21, = 6.3, = 6.9, = 6.16, = 6.6, = 6.20, = 6.15, = 7.0, = 7.16, = 7.15, = 7.3, = 7.6, = 7.9, = 7.13, = 7.8, = 7.12, = 7.5, = 7.10, = 7.17, = 7.11, = 7.x-dev, = 7.4, = 7.2, = 7.1, = 7.14, = 7.75 MEDIUM

Drupal 6.x before 6.27 and 7.x before 7.18 displays information for blocked users, which might allow remote attackers to obtain sensitive information by reading the search results.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Zero Point module 6.x-1.x before 6.x-1.18 and 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via the path aliases.

all versions3.5 LOW

The MultiLink module 6.x-2.x before 6.x-2.7 and 7.x-2.x before 7.x-2.7 for Drupal does not properly check node permissions when generating an in-content link, which allows remote authenticated users with text-editing permissions to read arbitrary node titles via a generated link.

all versions2.6 LOW

The Email Field module 6.x-1.x before 6.x-1.3 for Drupal, when using a field permission module and the field contact field formatter is set to the full or teaser display mode, does not properly check permissions, which allows remote attackers to email the stored address via unspecified vectors.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Email Field module 6.x-1.x before 6.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via the mailto link.

all versions2.1 LOW

The Services module 6.x-3.x before 6.x-3.3 and 7.x-3.x before 7.x-3.3 for Drupal allows remote authenticated users with the "access user profiles" permission to access arbitrary users' emails via vectors related to the "user index method" and "the path to the user resource."

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the Mixpanel module 6.x-1.x before 6.x-1.1 in Drupal allows remote authenticated users with the "access administration pages" permission to inject arbitrary web script or HTML via the Maxpanel token.

all versions7.5 HIGH

SQL injection vulnerability in the Webmail Plus module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

all versions4.3 MEDIUM

The Table of Contents module 6.x-3.x before 6.x-3.8 for Drupal does not properly check node permissions, which allows remote attackers to read a node's headers by accessing a table of contents block.

all versions4.6 MEDIUM

The OM Maximenu module 6.x-1.43 and earlier for Drupal, when the "Title has PHP" option is enabled, allows remote authenticated users with the "Administer OM Maximenu" permission to execute arbitrary PHP code via a "Link Title," a different vulnerability than CVE-2012-5553.

all versions2.1 LOW

Multiple cross-site scripting (XSS) vulnerabilities in the ShareThis module 7.x-2.x before 7.x-2.5 for Drupal allow remote authenticated users with the "administer sharethis" permission to inject arbitrary web script or HTML via unspecified vectors related to "JavaScript settings."

all versions6.8 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in the Search API module 7.x-1.x before 7.x-1.3 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable a server via a server action or (2) enable a search index via an enable index action.

all versions5 MEDIUM

The default configuration for the Webform CiviCRM Integration module 7.x-3.x before 7.x-3.2 has "Enforce Permissions" disabled, which allows remote attackers to obtain contact information by reading webforms.

all versions2.1 LOW

Multiple cross-site scripting (XSS) vulnerabilities in the OM Maximenu module 6.x-1.x before 6.x-1.44 and 7.x-1.x before 7.x-1.44 for Drupal allow remote authenticated users with the "administer OM Maximenu" permission to inject arbitrary web script or HTML via the (1) Menu Title (2) Link Title, (3) Path Query, (4) Anchor, or (5) vocabulary names.

all versions5 MEDIUM

The Password policy module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to obtain password hashes by sniffing the network, related to "client-side password history checks."

all versions4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the MailChimp module 7.x-2.x before 7.x-2.7 for Drupal allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) a predictable "webhook URL key" and (2) improper sanitization of "Webhook variables from POST requests."

all versions7.5 HIGH

SQL injection vulnerability in the Time Spent module 6.x and 7.x for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Time Spent module 6.x and 7.x for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Time Spent module 6.x and 7.x for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

all versions3.6 LOW

The User Read-Only module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.4 for Drupal, does not properly assign roles when there are more than three roles on the site and certain unspecified configurations, which might allow remote authenticated users to gain privileges by performing certain operations, as demonstrated by changing a password.

all versions4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the Basic webmail module 6.x-1.x before 6.x-1.2 for Drupal allow remote attackers to inject arbitrary web script or HTML via a (1) page title or (2) crafted email message.

all versions4 MEDIUM

The Mandrill module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users to obtain password reset links by reading the logs in the Mandrill dashboard.

all versions4.3 MEDIUM

The Feeds module 7.x-2.x before 7.x-2.0-alpha6 for Drupal, when a field is mapped to the node's author, does not properly check permissions, which allows remote attackers to create arbitrary nodes via a crafted source feed.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Commerce Extra Panes module 7.x-1.x before 7.x-1.1 in Drupal allows remote attackers to hijack the authentication of administrators for requests that enable or disable a Commerce extra panes pane via unspecified vectors related to "the link to reorder items."

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Twitter Pull module 6.x-1.x before 6.x-1.3 and 7.x-1.x before 7.x-1.0-rc3 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "data coming from Twitter."

all versions4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the Hostip module 6.x-2.x before 6.x-2.2 and 7.x-2.x before 7.x-2.2 for Drupal allow remote attackers with control of hostip.info to inject arbitrary web script or HTML via unspecified vectors.

all versions3.5 LOW

The Organic Groups (OG) module 7.x-1.x before 7.x-1.5 for Drupal does not properly maintain pending group memberships, which allows remote authenticated users to post to arbitrary groups by modifying their own account while a pending membership is waiting to be approved.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the FileField Sources module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.6 for Drupal, when the field has "Reference existing" source enabled, allows remote authenticated users to inject arbitrary web script or HTML via the filename of an uploaded file.

all versions6.8 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in the RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.1 and 7.x-2.x before 7.x-2.0-alpha3 for Drupal allow remote attackers to hijack the authentication of arbitrary users via unknown vectors.

all versions6 MEDIUM

The Simplenews Scheduler module 6.x-2.x before 6.x-2.4 for Drupal allows remote authenticated users with the "send scheduled newsletters" permission to inject arbitrary PHP code into the scheduling form, which is later executed by cron.

all versions5.1 MEDIUM

Unrestricted file upload vulnerability in upload.php in the Drag & Drop Gallery module 6.x-1.5 and earlier for Drupal allows remote attackers to execute arbitrary PHP code by uploading a file with an executable extension followed by a safe extension, then accessing it via a direct request to the directory specified by the filedir parameter.

all versions3.5 LOW

The Restrict node page view module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the "view any node page" or "view any node {type} page" permission to access unpublished nodes via a direct request.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Drag & Drop Gallery module 6.x for Drupal allows remote attackers to hijack the authentication of administrators.

all versions5 MEDIUM

Unspecified vulnerability in the Drag & Drop Gallery module 6.x for Drupal allows remote attackers to bypass access restrictions via unknown attack vectors.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Drag & Drop Gallery module 6.x for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

all versions5 MEDIUM

The Security Questions module for Drupal 6.x-1.x before 6.x-1.1 and 7.x-1.x before 7.x-1.1 does not properly restrict access, which allows remote attackers to edit an arbitrary user's questions and answers via unspecified vectors.

all versions4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the Colorbox Node module 7.x-2.x before 7.x-2.2 for Drupal allow remote attackers to inject arbitrary web script or HTML via unspecified parameters.

all versions7.5 HIGH

SQL injection vulnerability in the Drag & Drop Gallery module 6.x for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Privatemsg module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via a user name in a private message.

all versions2.6 LOW

Cross-site scripting (XSS) vulnerability in the Hashcash module 6.x-2.x before 6.x-2.6 and 7.x-2.x before 7.x-2.2 for Drupal, when "Log failed hashcash" is enabled, allows remote attackers to inject arbitrary web script or HTML via an invalid token, which is not properly handled when administrators use the Database logging module.

all versions7.5 HIGH

The Listhandler module 6.x-1.x before 6.x-1.1 for Drupal does not properly check permissions when importing emails, which allows remote comment authors to bypass access restrictions and possibly have other unspecified impact.

all versions5 MEDIUM

The Search Autocomplete module 7.x-2.x before 7.x-2.4 for Drupal does not properly restrict access to the module admin page, which allows remote attackers to disable an autocompletion or change the priority order via unspecified vectors.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Printer, email and PDF versions module 6.x-1.x before 6.x-1.15 and 7.x-1.x before 7.x-1.0 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, probably the PATH_INFO.

= 7.0, = 7.15, = 7.6, = 7.8, = 7.9, = 7.14, = 7.3, = 7.5, = 7.10, = 7.12, = 7.4, = 7.11, = 7.13, = 7.7, = 7.1, = 7.26.8 MEDIUM

Drupal 7.x before 7.16 allows remote attackers to obtain sensitive information and possibly re-install Drupal and execute arbitrary PHP code via an external database server, related to "transient conditions."

= 7.0, = 7.15, = 7.8, = 7.9, = 7.10, = 7.3, = 7.5, = 7.12, = 7.14, = 7.4, = 7.6, = 7.11, = 7.13, = 7.7, = 7.1, = 7.25 MEDIUM

The OpenID module in Drupal 7.x before 7.16 allows remote OpenID servers to read arbitrary files via a crafted DOCTYPE declaration in an XRDS file.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the administrative interface in the Better Revisions module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer better revisions" permission to inject arbitrary web script or HTML via unspecified vectors.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the "3 slide gallery" in the Elegant Theme module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via a slide URL.

all versions7.5 HIGH

The Activism module 6.x-2.x before 6.x-2.1 for Drupal does not properly restrict access to the "Campaign" content type, which might allow remote attackers to bypass access restrictions and possibly have other unspecified impact.

all versions4 MEDIUM

The Subuser module before 6.x-1.8 for Drupal does not properly check "switch subuser" permissions, which allows remote authenticated parent users to change their role by switching to a subuser they created.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Subuser module before 6.x-1.8 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that switch the user to a subuser via unspecified vectors.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the settings page (admin/settings/hotblocks) in the Hotblocks module 6.x-1.x before 6.x-1.8 for Drupal allows remote authenticated users with the "administer hotblocks" permission to inject arbitrary web script or HTML via the "block names."

all versions3.5 LOW

The Hotblocks module 6.x-1.x before 6.x-1.8 for Drupal allows remote authenticated users with the "administer hotblocks" permission to cause a denial of service (infinite loop and time out) via a block that references itself.

all versions4 MEDIUM

The Mime Mail module 6.x-1.x before 6.x-1.1 for Drupal does not properly restrict access to files outside Drupal's publish files directory, which allows remote authenticated users to send arbitrary files as attachments.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the Custom Publishing Options module 6.x-1.x before 6.x-1.4 for Drupal allows remote authenticated users with the "administer nodes" permission to inject arbitrary web script or HTML via the status labels parameter.

all versions3.5 LOW

The Announcements module 6.x-1.x before 6.x-1.5 for Drupal allows remote authenticated users with the "access announcements" permission to bypass node access restrictions and possibly have other unspecified impact.

all versions5 MEDIUM

The contact formatter page in the Email Field module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to email the stored address in the entity via unspecified vectors.

all versions4.3 MEDIUM

The Shibboleth authentication module 7.x-4.0 for Drupal does not properly check the active status of users, which allows remote blocked users to access bypass intended access restrictions and possibly have other impacts by logging in.

all versions5 MEDIUM

The Location module 6.x before 6.x-3.2 and 7.x before 7.x-3.0-alpha1 for Drupal does not properly check user or node access permissions, which allows remote attackers to read node or user results via the location search page.

all versions5.8 MEDIUM

Open redirect vulnerability in the securelogin_secure_redirect function in the Secure Login module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the q parameter.

all versions4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the Excluded Users module 6.x-1.x before 6.x-1.1 for Drupal allow remote attackers to inject arbitrary web script or HTML via a (1) user name or (2) email address.

all versions5.8 MEDIUM

The Monthly Archive by Node Type module 6.x for Drupal does not properly check permissions defined by node_access modules, which allows remote attackers to access restricted nodes via unspecified vectors.

all versions2.1 LOW

Multiple cross-site scripting (XSS) vulnerabilities in the Shorten URLs module 6.x-1.x before 6.x-1.13 and 7.x-1.x before 7.x-1.2 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors to the (1) report or (2) Custom Services List page.

all versions4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the galleryformatter_field_formatter_view functiuon in galleryformatter.tpl.php the Gallery formatter module before 7.x-1.2 for Drupal allow remote authenticated users with permissions to create a node or entity to inject arbitrary web script or HTML via the (1) title or (2) alt parameter.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the administrative interface in the Campaign Monitor module before 6.x-2.5 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this refers to an issue in an independently developed Drupal module, and NOT an issue in the Campaign Monitor software itself (described on the campaignmonitor.com web site).

all versions5 MEDIUM

The Ubercart SecureTrading Payment Method module 6.x for Drupal does not properly verify payment notification information, which allows remote attackers to purchase an item without paying via unspecified vectors.

all versions5 MEDIUM

The commons_discussion_views_default_views function in modules/features/commons_discussion/commons_discussion.views_default.inc in the Drupal Commons module 6.x-2.x before 6.x-2.8 for Drupal does not properly enforce intended node access restrictions, which might allow remote attackers to obtain sensitive information via the recent comments listing.

all versions4.3 MEDIUM

The Memcache module 5.x before 5.x-1.10 and 6.x before 6.x-1.6 for Drupal does not properly handle the $user object in memcache_admin, which might "lead to a role change not being recognized until the user logs in again."

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in memcache_admin in the Memcache module 5.x before 5.x-1.10 and 6.x before 6.x-1.6 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

all versions4.9 MEDIUM

Unspecified vulnerability in the Views Bulk Operations module 6 before 6.x-1.10 for Drupal allows remote authenticated users with user management permissions to bypass intended access restrictions and delete anonymous users (user 0) via unspecified vectors.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in video_filter.codecs.inc in the Video Filter module 6.x-2.x and 7.x-2.x for Drupal allows remote attackers to inject arbitrary web script or HTML via the EMBEDLOOKUP parameter for Blip.tv links.

all versions3.5 LOW

Multiple cross-site scripting (XSS) vulnerabilities in the Lingotek module 6.x-1.x before 6.x-1.40 for Drupal allow remote authenticated users to inject arbitrary web script or HTML when (1) creating or (2) editing page content.

all versions5 MEDIUM

The Registration Codes module before 6.x-2.4 for Drupal does not restrict access to the registration code list, which might allow remote attackers to bypass intended registration restrictions.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the stickynote module before 7.x-1.1 for Drupal allows remote authenticated users with edit stickynotes privileges to inject arbitrary web script or HTML via unspecified vecotrs.

all versions4.3 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the stickynote module before 7.x-1.1 for Drupal allows remote attackers to hijack the authentication of users for requests that delete stickynotes via unspecified vectors.

all versions3.5 LOW

Multiple cross-site scripting (XSS) vulnerabilities in product/commerce_product.module in the Drupal Commerce module for Drupal before 7.x-1.2 allow remote authenticated users to inject arbitrary web script or HTML via the (1) sku or (2) title parameters.

= 7.0, = 7.3, = 7.1, = 7.8, = 7.11, = 7.4, = 7.12, = 7.5, = 7.10, = 7.13, = 7.x-dev, = 7.6, = 7.9, = 7.7, = 7.25 MEDIUM

The image module in Drupal 7.x before 7.14 does not properly check permissions when caching derivative image styles of private images, which allows remote attackers to read private image styles.

= 7.0, = 7.3, = 7.12, = 7.5, = 7.13, = 7.x-dev, = 7.6, = 7.9, = 7.8, = 7.1, = 7.11, = 7.10, = 7.4, = 7.2, = 7.74 MEDIUM

Drupal 7.x before 7.14 does not properly restrict access to nodes in a list when using a "contributed node access module," which allows remote authenticated users with the "Access the content overview page" permission to read all published nodes by accessing the admin/content page.

= 7.0, = 7.3, = 7.12, = 7.5, = 7.13, = 7.x-dev, = 7.6, = 7.9, = 7.4, = 7.1, = 7.8, = 7.11, = 7.10, = 7.2, = 7.73.5 LOW

Algorithmic complexity vulnerability in the _filter_url function in the text filtering system (modules/filter/filter.module) in Drupal 7.x before 7.14 allows remote authenticated users with certain roles to cause a denial of service (CPU consumption) via a long email address.

= 7.0, = 7.3, = 7.12, = 7.10, = 7.13, = 7.1, = 7.8, = 7.11, = 7.x-dev, = 7.6, = 7.9, = 7.5, = 7.4, = 7.2, = 7.74 MEDIUM

The forum list in Drupal 7.x before 7.14 does not properly check user permissions for unpublished forum posts, which allows remote authenticated users to obtain sensitive information such as the post title via the forum overview page.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the Support Timer module 6.x-1.x before 6.x-1.4 for Drupal allows remote authenticated users with the "track time spent" permission to inject arbitrary web script or HTML via unspecified vectors.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the Support Ticketing System module 6.x-1.x before 6.x-1.7 for Drupal allows remote authenticated users with the "administer support projects" permission to inject arbitrary web script or HTML via unspecified vectors.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the Webform Validation module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with permissions to "update Webform nodes" to inject arbitrary web script or HTML via unspecified vectors.

all versions6 MEDIUM

SQL injection vulnerability in the conversion form for Events in the Date module 6.x-2.x before 6.x-2.8 for Drupal allows remote authenticated users with the "administer Date Tools" privilege to execute arbitrary SQL commands via unspecified vectors.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the Taxonomy Navigator module for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Admin:hover module for Drupal allows remote attackers to hijack the authentication of administrators for requests that unpublish all nodes, and possibly other actions, via unspecified vectors.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the Taxotouch module for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors.

all versions3.5 LOW

Cross-site scripting (XSS) vulnerability in the SuperCron module for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

all versions5 MEDIUM

The Fill PDF module 7.x-1.x before 7.x-1.2 for Drupal allows remote attackers to write to arbitrary PDF files via unspecified vectors related to the fillpdf_merge_pdf function and incorrect arguments, a different vulnerability than CVE-2012-1625. NOTE: some of these details are obtained from third party information.

all versions6 MEDIUM

Eval injection vulnerability in the fillpdf_form_export_decode function in fillpdf.admin.inc in the Fill PDF module 6.x-1.x before 6.x-1.16 and 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with administer PDFs privileges to execute arbitrary PHP code via unspecified vectors. NOTE: Some of these details are obtained from third party information.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Password Policy module before 6.x-1.4 and 7.x-1.0 beta3 for Drupal allows remote attackers to hijack the authentication of administrative users for requests that unblock a user.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in password_policy.admin.inc in the Password Policy module before 6.x-1.4 and 7.x-1.0 beta3 for Drupal allows remote authenticated users with administer policies permissions to inject arbitrary web script or HTML via the name parameter.

all versions3.5 LOW

Cross-site scripting (XSS) vulnerability in vud_term.module in the Vote Up/Down module 6.x-2.x before 6.x-2.8 and 6.x-3.x before 6.x-3.1 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via taxonomy terms.

all versions2.1 LOW

Multiple cross-site scripting (XSS) vulnerabilities in the Managesite module 6.x-1.x before 6.1-1.1 for Drupal allow remote authenticated users with "administer managesite" permissions to inject arbitrary web script or HTML via the title parameter when (1) adding or (2) updating a category.

all versions6 MEDIUM

SQL injection vulnerability in the Search Autocomplete module before 7.x-2.1 for Drupal allows remote authenticated users with the "use search_autocomplete" permission to execute arbitrary SQL commands via unspecified vectors.

all versions3.5 LOW

Cross-site scripting (XSS) vulnerability in the Submenu Tree module before 6.x-1.5 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the Hierarchical Select module 6.x-3.x before 6.x-3.8 for Drupal allows remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML via unspecified vectors related to "the vocabulary's help text."

all versions3.5 LOW

Cross-site scripting (XSS) vulnerability in the Taxonomy Views Integrator (TVI) module 6.x-1.x before 6.x-1.3 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, related to "views pages."

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the Node Recommendation module 6.x-1.x before 6.x-1.1 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors.

all versions2.1 LOW

Multiple cross-site scripting (XSS) vulnerabilities in components/select.inc in the Webform module 6.x-3.x before 6.x-3.17 and 7.x-3.x before 7.x-3.17 for Drupal, when the "Select (or other)" module is enabled, allow remote authenticated users with the create webform content permission to inject arbitrary web script or HTML via vectors related to (1) checkboxes or (2) radios.

all versions6.8 MEDIUM

SQL injection vulnerability in the Multisite Search module 6.x-2.2 for Drupal allows remote authenticated users with certain permissions to execute arbitrary SQL commands via the Site table prefix field.

all versions4 MEDIUM

Unspecified vulnerability in the UC PayDutchGroup / WeDeal payment module 6.x-1.0 for Drupal allows remote authenticated users to obtain account credentials via unknown attack vectors.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in block_class.module in the Block Class module before 7.x-1.1 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the class name.

all versions2.1 LOW

Multiple cross-site scripting (XSS) vulnerabilities in the Data module 6.x-1.x before 6.x-1.0 and 7.x-1.x before 7.x-1.0-alpha3 for Drupal allow remote authenticated users with the administer data tables permission to inject arbitrary web script or HTML via the title parameter in (1) data.views.inc and (2) data_ui/data_ui.admin.inc.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the Read More Link module 6.x-3.x before 6.x-3.1 for Drupal allows remote authenticated users with the access administration pages permission to inject arbitrary web script or HTML via unspecified vectors.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Admin tools module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors involving "not checking tokens."

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Ubercart Bulk Stock Updater module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors related to formAPI.

all versions6.4 MEDIUM

Open redirect vulnerability in the Redirecting click bouncer module for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Admin tools module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the ticketyboo News Ticker module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

all versions5 MEDIUM

The Ubercart Payflow module for Drupal does not use a secure token, which allows remote attackers to forge payments via unspecified vectors.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Content Lock module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the Cool Aid module before 6.x-1.9 for Drupal allows remote authenticated users with the administer coolaid permission to inject arbitrary web script or HTML via unspecified vectors.

all versions4.9 MEDIUM

Cool Aid module before 6.x-1.9 for Drupal does not enforce access restrictions, which allows remote authenticated users with the administer coolaid permission to modify arbitrary pages via unspecified vectors.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Wishlist module 6.x-2.x before 6.x-2.6 and 7.x-2.x before 7.x-2.6 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that insert cross-site scripting (XSS) sequences via the (1) wl_reveal or (2) q parameters.

all versions3.5 LOW

Cross-site scripting (XSS) vulnerability in the Language Icons module 6.x-2.x before 6.x-2.1 and 7.x-1.x before 7.x-1.0 for Drupal allows remote authenticated users with administer languages permissions to inject arbitrary web script or HTML via unspecified vectors.

all versions2.1 LOW

Multiple cross-site scripting (XSS) vulnerabilities in fancy_slide.module in the Fancy Slide module before 6.x-2.7 for Drupal allow remote authenticated users with the administer fancy_slide permission to inject arbitrary web script or HTML via the (1) node_title or (2) nodequeue_title parameter.

all versions6.8 MEDIUM

Unspecified vulnerability in the CKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.7 for Drupal, when the core PHP module is enabled, allows remote authenticated users or remote attackers to execute arbitrary PHP code via the text parameter to a text filter. NOTE: some of these details are obtained from third party information.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the FCKeditor module 6.x-2.x before 6.x-2.3 and the CKEditor module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.7 for Drupal allows remote authenticated users or remote attackers to inject arbitrary web script or HTML via unspecified vectors.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in theme/views_lang_switch.theme.inc in the Views Language Switcher module before 7.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via the q parameter.

all versions5 MEDIUM

The Slidebox module before 7.x-1.4 for Drupal does not properly check permissions, which allows remote attackers to obtain sensitive information via unspecified vectors.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Gigya - Social optimization module 6.x before 6.x-3.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Commerce Reorder module before 7.x-1.1 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that add items to the shopping cart.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the fusion_core_preprocess_page function in fusion_core/template.php in the Fusion module before 6.x-1.13 for Drupal allows remote attackers to inject arbitrary web script or HTML via the q parameter.

all versions5 MEDIUM

The Advertisement module 6.x-2.x before 6.x-2.3 for Drupal does not properly restrict access to debug information, which allows remote attackers to obtain sensitive site configuration information that is specified by the $conf variable in settings.php.

all versions6 MEDIUM

The ZipCart module 6.x before 6.x-1.4 for Drupal checks the "access content" permission instead of the "access ZipCart downloads" permission when building archives, which allows remote authenticated users with access content permission to bypass intended access restrictions.

all versions6 MEDIUM

The finder_import function in the Finder module 6.x-1.x before 6.x-1.26, 7.x-1.x, and 7.x-2.x before 7.x-2.0-alpha8 for Drupal allows remote authenticated users with the administer finder permission to execute arbitrary PHP code via admin/build/finder/import.

all versions5 MEDIUM

includes/linkchecker.pages.inc in the Link checker module 6.x-2.x before 6.x-2.5 for Drupal does not properly enforce access permissions on broken links, which allows remote attackers to obtain sensitive information via unspecified vectors.

all versions5 MEDIUM

The Faster Permissions module 7.x-2.x before 7.x-1.2 for Drupal does not check the "administer permissions" permission, which allows remote attackers to modify access permissions via unspecified vectors.

all versions2.1 LOW

The Organic Groups (OG) Vocabulary module 6.x-1.x before 6.x-1.2 for Drupal allows remote authenticated users with certain administrator permissions to modify the vocabularies of other groups via unspecified vectors.

all versions2.6 LOW

The CDN module 6.x-2.2 and 7.x-2.2 for Drupal, when running in Origin Pull mode with the "Far Future expiration" option enabled, allows remote attackers to read arbitrary PHP files via unspecified vectors, as demonstrated by reading settings.php.

all versions4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the "stand alone PHP application for the OSM Player," as used in the MediaFront module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.5 for Drupal, allow remote attackers to inject arbitrary web script or HTML via (1) $_SERVER['HTTP_HOST'] or (2) $_SERVER['SCRIPT_NAME'] to players/osmplayer/player/OSMPlayer.php, (3) playlist parameter to players/osmplayer/player/getplaylist.php, and possibly other vectors related to $_SESSION.

all versions6.4 MEDIUM

The hook_node_access function in the revisioning module 7.x-1.x before 7.x-1.3 for Drupal checks the permissions of the current user even when it is called to check permissions of other users, which allows remote attackers to bypass intended access restrictions, as demonstrated when using the XML sitemap module to obtain sensitive information about unpublished content.

all versions2.1 LOW

Multiple cross-site scripting (XSS) vulnerabilities in the Creative Commons module 6.x-1.x before 6.x-1.1 for Drupal allow remote authenticated users with the administer creative commons permission to inject arbitrary web script or HTML via the (1) creativecommons_user_message or (2) creativecommons_site_license_additional_text parameter.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Node Limit Number module before 6.x-1.2 for Drupal allows remote attackers to hijack the authentication of users with the administer node limitnumber permission for requests that delete limits.

all versions5.1 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the ShareThis module 7.x-2.x before 7.x-2.3 for Drupal allows remote attackers to hijack the authentication of users with administer sharethis permissions via unknown vectors "outside of the Form API."

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the Contact Forms module 6.x-1.x before 6.x-1.13 for Drupal when the core contact form is enabled, allows remote authenticated users with the administer site-wide contact form permission to inject arbitrary web script or HTML via unspecified vectors.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the MultiBlock module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the administer blocks permission to inject arbitrary web script or HTML via the block title.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the Share Buttons (AddToAny) module 6.x-3.x before 6.x-3.4 for Drupal allows remote authenticated users with the administer addtoany permission to inject arbitrary web script or HTML via unspecified vectors.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the CDN2 Video module 6.x for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

all versions5 MEDIUM

The Organic Groups (OG) module 6.x-2.x before 6.x-2.3 for Drupal does not properly restrict access, which allows remote attackers to obtain sensitive information such as private group titles via a request through the Views module.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the CDN2 Video module 6.x for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

all versions6 MEDIUM

The Bundle copy module 7.x-1.x before 7.x-1.1 for Drupal does not check for the "use PHP for settings" permission while importing settings, which allows remote authenticated users with certain permissions to execute arbitrary PHP code via unspecified vectors.

all versions5 MEDIUM

Unspecified vulnerability in certain default views in the Ubercart Views module 6.x before 6.x-3.2 for Drupal allows remote attackers to obtain sensitive information via unknown attack vectors.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the Contact Save module 6.x-1.x before 6.x-1.5 for Drupal allows remote authenticated users with the access site-wide contact form permission to inject arbitrary web script or HTML via unspecified vectors.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the administration forms in the ShareThis module 7.x-2.x before 7.x-2.3 for Drupal allows remote authenticated users with administer sharethis permissions to inject arbitrary web script or HTML via unspecified vectors.

all versions4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the RealName module 6.x-1.x before 6.x-1.5 for Drupal allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) "user names in page titles" and (2) "autocomplete callbacks."

all versions4.3 MEDIUM

The Linkit module 7.x-2.x before 7.x-2.3 for Drupal, when using an entity access module, does not check permissions when searching for entities, which allows remote attackers to obtain sensitive information via unspecified vectors.

all versions2.1 LOW

Multiple cross-site scripting (XSS) vulnerabilities in the Ubercart module 6.x-2.x before 6.x-2.8 and 7.x-3.x before 7.x-3.1 for Drupal allow remote authenticated users with the administer product classes permission to inject arbitrary web script or HTML via unspecified vectors.

all versions2.1 LOW

The Ubercart module 6.x-2.x before 6.x-2.8 and 7.x-3.x before 7.x-3.1 for Drupal stores passwords for new customers in plaintext during checkout, which allows local users to obtain sensitive information by reading from the database.

all versions5 MEDIUM

The Fivestar module 6.x-1.x before 6.x-1.20 for Drupal does not properly validate voting data, which allows remote attackers to manipulate voting averages via a negative value in the vote parameter.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Autosave module 6.x before 6.x-2.10 and 7.x-2.x before 7.x-2.0 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests involving "submitting saved results to a node."

all versions3.5 LOW

Cross-site scripting (XSS) vulnerability in the cctags module for Drupal 6.x-1.x before 6.x-1.10 and 7.x-1.x before 7.x-1.10 allows remote authenticated users with certain roles to inject arbitrary web script or HTML via unspecified vectors.

all versions7.5 HIGH

SQL injection vulnerability in the Addressbook module for Drupal 6.x-4.2 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

all versions3.5 LOW

Cross-site scripting (XSS) vulnerability in the Glossify Internal Links Auto SEO module for Drupal 6.x-2.5 and earlier allows remote authenticated users with certain roles to inject arbitrary web script or HTML via unspecified vectors.

all versions3.5 LOW

Cross-site scripting (XSS) vulnerability in the Taxonomy Grid : Catalog module for Drupal 6.x-1.6 and earlier allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Addressbook module for Drupal 6.x-4.2 and earlier allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

all versions5 MEDIUM

The Janrain Engage (formerly RPX) module for Drupal 6.x-1.x. 6.x-2.x before 6.x-2.2, and 7.x-2.x before 7.x-2.2 stores user profile data from Engage in session tables, which might allow remote attackers to obtain sensitive information by leveraging a separate vulnerability.

all versions5 MEDIUM

Site Documentation (Sitedoc) module for Drupal 6.x-1.x before 6.x-1.4 does not properly check the save location when archiving, which allows remote attackers to obtain sensitive information via unspecified vectors.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Node Gallery module for Drupal 6.x-3.1 and earlier allows remote attackers to hijack the authentication of certain users for requests that create node galleries.

all versions7.5 HIGH

The Spaces module 6.x-3.x before 6.x-3.4 for Drupal does not enforce permissions on non-object pages, which allows remote attackers to obtain sensitive information and possibly have other impacts via unspecified vectors to the (1) Spaces or (2) Spaces OG module.

all versions4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the Mobile Tools module 6.x-2.x before 6.x-2.3 for Drupal allow remote attackers to inject arbitrary web script or HTML via the (1) Mobile URL field or (2) Desktop URL field to the General configuration page, or the (3) message to the Mobile Tools block message options.

all versions4 MEDIUM

Unspecified vulnerability in the Post Affiliate Pro (PAP) module for Drupal allows remote authenticated users to read the commissions of other users via unknown attack vectors.

all versions5 MEDIUM

The Janrain Capture module 6.x-1.0 and 7.x-1.0 for Drupal, when creating a local user account, allows attackers to obtain part of the initial input used to generate passwords, which makes it easier to conduct brute force password guessing attacks.

all versions5.1 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in the Maestro module 7.x-1.x before 7.x-1.2 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) change workflows or (2) insert cross-site scripting (XSS) sequences.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in og.js in the Organic Groups (OG) module 6.x-2.x before 6.x-2.4 for Drupal, when used with the Vertical Tabs module, allows remote authenticated users to inject arbitrary web script or HTML via vectors related the group title.

all versions7.5 HIGH

The Protected Node module 6.x-1.x before 6.x-1.6 for Drupal does not properly "protect node access when nodes are accessed outside of the standard node view," which allows remote attackers to bypass intended access restrictions.

all versions2.6 LOW

The Ubercart AJAX Cart 6.x-2.x before 6.x-2.1 for Drupal stores the PHP session id in the JavaScript settings array in page loads, which might allow remote attackers to obtain sensitive information by sniffing or reading the cache of the HTML of a webpage.

all versions6.8 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in the SimpleMeta module 6.x-1.x before 6.x-2.0 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) delete or (2) add a meta tag entry.

all versions6.8 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in the Node Hierarchy module 6.x-1.x before 6.x-1.5 for Drupal allow remote attackers to hijack the authentication of administrators for requests that change a node hierarchy position via an (1) up or (2) down action.

all versions5.8 MEDIUM

Open redirect vulnerability in the Janrain Capture module 6.x-1.0 and 7.x-1.0 for Drupal, when synchronizing user data, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the Protest module 6.x-1.x before 6.x-1.2 or 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the "administer protest" permission to inject arbitrary web script or HTML via the protest_body parameter.

all versions3.5 LOW

classes/Filter/WhitelistedExternalFilter.php in the Authoring HTML module 6.x-1.x before 6.x-1.1 for Drupal does not properly validate sources with the host white list, which allows remote authenticated users to bypass intended access restrictions and conduct cross-site scripting (XSS) attacks.

all versions2.6 LOW

Cross-site scripting (XSS) vulnerability in the Maestro module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with maestro admin permissions to inject arbitrary web script or HTML via unspecified vectors.

all versions4.3 MEDIUM

The node selection interface in the WYSIWYG editor (CKEditor) in the Node Embed module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.0 for Drupal does not properly check permissions, which allows remote attackers to bypass intended access restrictions and read node titles.

all versions5 MEDIUM

The Token Authentication (tokenauth) module 6.x-1.x before 6.x-1.7 for Drupal does not properly revert user sessions, which might allow remote attackers to perform requests with extra privileges.

all versions2.6 LOW

Multiple cross-site scripting (XSS) vulnerabilities in the Search API module 7.x-1.x before 7.x-1.1 for Drupal, when supporting manual entry of field identifiers, allow remote attackers to inject arbitrary web script or HTML via vectors related to thrown exceptions and logging errors.

all versions5.8 MEDIUM

The Hostmaster (Aegir) module 6.x-1.x before 6.x-1.9 for Drupal does not properly exit when users do not have access to package/task nodes, which allows remote attackers to bypass intended access restrictions and edit unauthorized nodes.

all versions5.1 MEDIUM

The filedepot module 6.x-1.x before 6.x-1.3 for Drupal, when accessed using multiple different browsers from the same IP address, causes Internet Explorer sessions to "switch users" when uploading a file, which has unspecified impact possibly involving file uploads to the wrong user directory, aka "Session Management Vulnerability."

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Post Affiliate Pro (PAP) module for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors related to user registration.

all versions6.8 MEDIUM

The default views in the Organic Groups (OG) module 6.x-2.x before 6.x-2.4 for Drupal do not properly check permissions when all users have the "access content" permission removed, which allows remote attackers to bypass access restrictions and possibly have other unspecified impact.

all versions2.1 LOW

Multiple cross-site scripting (XSS) vulnerabilities in the Taxonomy List module 6.x-1.x before 6.x-1.4 for Drupal allow remote authenticated users with create or edit taxonomy terms permissions to inject arbitrary web script or HTML via vectors related to taxonomy information.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the themes_links function in template.php in the Amadou theme module 6.x-1.x before 6.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors related to class attributes in a list of links.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the BrowserID (Mozilla Persona) module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that login a user to another web site.

all versions2.6 LOW

Cross-site scripting (XSS) vulnerability in the Zen module 6.x-1.x before 6.x-1.1 for Drupal, when "Append the content title to the end of the breadcrumb" is enabled, allows remote attackers to inject arbitrary web script or HTML via the content title in a breadcrumb.

all versions2.1 LOW

Cross-site scripting (XSS) vulnerability in the _hosting_task_log_table function in modules/hosting/task/hosting_task.module in the Hostmaster (Aegir) module 6.x-1.x before 6.x-1.9 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a Drush log message in a provision task log.

all versions2.1 LOW

The filter_titles function in the Smart Breadcrumb module 6.x-1.x before 6.x-1.3 for Drupal does not properly convert a title to plain-text, which allows remote authenticated users with create or edit node permissions to conduct cross-site scripting (XSS) attacks via the title parameter.

all versions5 MEDIUM

The Ubercart Product Keys module 6.x-1.x before 6.x-1.1 for Drupal does not properly check access for product keys, which allows remote attackers to read all unassigned product keys via certain conditions related to the uid.

all versions2.6 LOW

Cross-site scripting (XSS) vulnerability in the Advertisement module 6.x-2.x before 6.x-2.3 for Drupal, when debug mode is enabled, allows remote attackers to inject arbitrary web script or HTML via vectors related to the "$conf variable in settings.php."

all versions5.8 MEDIUM

Open redirect vulnerability in the Global Redirect module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.4 for Drupal, when non-clean to clean is enabled, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the q parameter.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Comment Moderation module 6.x-1.x before 6.x-1.1 for Drupal allows remote attackers to hijack the authentication of administrators for requests that publish comments.

all versions7.5 HIGH

SQL injection vulnerability in the Counter module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to "recording visits."

= 7.0, = 5.10, = 5.4, = 6.0, = 6.2, = 5.17, = 7.8, = 6.4, = 7.5, = 6.14, = 5.13, = 5.2, = 6.18, = 6.12, = 5.7, = 7.3, = 6.13, = 5.12, = 7.9, = 7.1, = 6.6, = 6.11, = 6.7, = 5.15, = 5.0, = 5.18, = 5.5, <= 7.14, = 7.12, = 7.4, = 5.23, = 5.22, = 5.19, = 7.6, = 6.8, = 6.1, = 6.5, = 5.16, = 5.6, = 7.11, = 7.10, = 6.10, = 6.17, = 5.1, = 5.21, = 6.16, = 5.9, = 5.20, = 6.3, = 5.8, = 7.7, = 6.15, = 5.14, = 5.3, = 7.2, = 6.9, = 5.115 MEDIUM

The request_path function in includes/bootstrap.inc in Drupal 7.14 and earlier allows remote attackers to obtain sensitive information via the q[] parameter to index.php, which reveals the installation path in an error message.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Glossary module 6.x-1.x before 6.x-1.8 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "taxonomy information."

all versions3.5 LOW

The Contact Forms module 7.x-1.x before 7.x-1.2 for Drupal does not specify sufficiently restrictive permissions, which allows remote authenticated users with the "access the site-wide contact form" permission to modify the module settings via unspecified vectors.

all versions2.6 LOW

Cross-site scripting (XSS) vulnerability in the aberdeen_breadcrumb function in template.php in the Aberdeen theme 6.x-1.x before 6.x-1.11 for Drupal, when set to append the content title to the breadcrumb, allows remote attackers to inject arbitrary web script or HTML via the content title in a breadcrumb.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Take Control module 6.x-2.x before 6.x-2.2 for Drupal allows remote attackers to hijack the authentication of unspecified users for Ajax requests that manipulate files.

= 7.0, = 7.3, = 7.8, = 7.7, = 7.6, = 7.5, = 7.12, = 7.11, = 7.4, = 7.10, = 7.9, = 7.1, = 7.x-dev, = 7.25.8 MEDIUM

Open redirect vulnerability in the Form API in Drupal 7.x before 7.13 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via crafted parameters in a destination URL.

= 4.6.0, = 4.6, = 7.0, = 5.10, = 5.4, = 4.6.5, = 4.5.4, = 6.18, = 6.0, = 5.13, = 5.17, = 4.6.9, = 6.2, = 5.12, = 6.14, = 6.13, = 6.24, = 4.7.2, = 4.6.10, = 4.5.0, = 7.10, = 7.3, = 6.12, = 5.1_rev1.1, = 4.7_revision_1.2, = 4.7.10, = 7.8, = 7.6, = 7.5, = 6.11, = 4.7.8, = 4.5.7, = 4.0, = 4.5.2, = 5.16, = 5.2, = 5.0, = 4.7.3, = 4.4, = 7.9, = 6.4, = 5.7, = 5.23, = 4.7.5, = 4.6.8, = 4.6.2, <= 7.12, = 7.1, = 6.22, = 6.16, = 5.3, = 5.19, = 5.5, = 4.4.3, = 4.6.11, = 4.7.0, = 4.7, = 4.6.1, = 4.6.7, = 4.5.1, = 4.5, = 7.7, = 7.4, = 6.10, = 6.1, = 6.3, = 5.1, = 5.21, = 5.22, = 5.8, = 4.5.8, = 4.7.6, = 4.7.1, = 4.5.5, = 4.0.0, = 6.6, = 6.7, = 6.5, = 6.21, = 6.23, = 5.15, = 5.14, = 4.7.4, = 4.7.7, = 4.6.4, = 4.4.1, = 7.11, = 7.2, = 7.x-dev, = 6.15, = 6.8, = 6.x-dev, = 6.19, = 6.17, = 5.x, = 5.18, = 5.9, = 5.6, = 4.1.0, = 4.2.0_rc, = 4.7_rev1.15, = 4.7.9, = 4.6.3, = 4.4.2, = 6.20, = 5.20, = 5.5., = 4.7_rev_1.2, = 4.7_rev_1.15, = 6.9, = 5.11, = 4.5.6, = 4.5.3, = 4.6.6, = 4.4.06.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the user/logout URI. NOTE: the vendor disputes the significance of this issue, by considering the "security benefit against platform complexity and performance impact" and concluding that a change to the logout behavior is not planned because "for most sites it is not worth the trade-off.

all versions7.5 HIGH

SQL injection vulnerability in the Views module before 6.x-2.13 for Drupal allows remote attackers to execute arbitrary SQL commands via vectors related to "filters/arguments on certain types of views with specific configurations of arguments."

all versions2.1 LOW

Multiple cross-site scripting (XSS) vulnerabilities in revisioning_theme.inc in the Taxonomy module in the Revisioning module 6.x-3.13 and other versions before 6.x-3.14 for Drupal allow remote authenticated users with certain privileges to inject arbitrary web script or HTML via the (1) tags or (2) term parameters.

all versions5 MEDIUM

The Forward module 6.x-1.x before 6.x-1.21 and 7.x-1.x before 7.x-1.3 for Drupal does not properly enforce permissions for (1) Recent forwards, (2) Most forwarded, or (3) Dynamic blocks, which allows remote attackers to obtain node titles via unspecified vectors.

all versions6 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the clickthrough tracking functionality in the Forward module 6.x-1.x before 6.x-1.21 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication of administrators for requests that increase node rankings via the tracking code, possibly related to improper "flood control."

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in display_renderers/panels_renderer_editor.class.php in the admin view in the Panels module 6.x-2.x before 6.x-3.10 and 7.x-3.x before 7.x-3.0 for Drupal allows remote authenticated users with certain privileges to inject arbitrary web script or HTML via the Region title.

all versions3.5 LOW

Cross-site scripting (XSS) vulnerability in the Meta tags quick module 7.x-2.x before 7.x-2.3 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors, probably related to "names of entity bundles."

all versions3.5 LOW

Cross-site scripting (XSS) vulnerability in the Petition Node module 6.x-1.x before 6.x-1.5 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to signing a petition.

= 7.05 MEDIUM

Drupal 7.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/simpletest/tests/upgrade/drupal-6.upload.database.php and certain other files.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Flag Content module 5.x-2.x before 5.x-2.10 for Drupal allows remote attackers to inject arbitrary web script or HTML via the Reason parameter.

= 7.0, = 7.1, = 7.27.5 HIGH

Drupal 7.x before 7.3 allows remote attackers to bypass intended node_access restrictions via vectors related to a listing that shows nodes but lacks a JOIN clause for the node table.

all versions3.5 LOW

Cross-site scripting (XSS) vulnerability in the Category Tokens module 6.x before 6.x-1.1 for Drupal allows remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML by editing or creating vocabulary names, which are not properly handled in token help.